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VOLUME V 
IN THE UNITED STATES ARMY 

UNITED STATES 
VS. 

MANNING, Bradley E., PFC COURT-MARTIAL 
U.S. Army, xxx— xx— 9504 

Headquarters and Headquarters Company, 

U.S. Army Garrison, 

Joint Base Myer— Henderson Hall, 

Fort Myer, VA 22211 

/ 

The Hearing in the above— titled matter was 
continued on Tuesday, June 11, 2013, at 1:45 p.m., at 
Fort Meade, Maryland, before the Honorable Colonel 
Denise Lind, Judge. 
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DISCLAIMER 
This transcript was made by a court 
reporter who is not the official Government reporter, 
was not permitted to be in the actual courtroom where 
the proceedings took place, but in a media room 
listening to and watching live audio/video feed, not 
permitted to make an audio backup recording for editing 
purposes, and not having the ability to control the 
proceedings in order to produce an accurate verbatim 
transcript . 

This unedited, uncertified draft transcript 
may contain court reporting outlines that are not 
translated, notes made by the reporter for editing 
purposes, misspelled terms and names, word combinations 
that do not make sense, and missing testimony or 
colloquy due to being inaudible by the reporter. 
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PROCEEDINGS, 
THE COURT: Court is called to order. 

Major? 

MR. FEIN: Your Honor, all parties when the 
court last recessed are again present. 

Captain Morrow is also present . 

THE COURT: Is the government ready to 

proceed? 

THE PROSECUTION: The United States calls 
Mr . Kenneth Moser . 

THE COURT: I didn't ask the parties if 
there are any issues we needed to address, I assume 
there are none? 

THE PROSECUTION: No, ma'am. 

Whereupon, 

KENNETH MOSER, 
called as a witness, having been first duly sworn to 
tell the truth, the whole truth, and nothing but the 
truth, was examined and testified as follows : 

THE PROSECUTION: (INAUDIBLE) . 

THE WITNESS: Yes, sir. 
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DIRECT EXAMINATION BY THE PROSECUTION: 
Q Mr. Moser, what is your military 

background? 

A 21 years in the Air Force since I retired. 

Q What did you do in the Air Force? 

A (INAUDIBLE) . 

Q When did you retire? 

A In 2009. 

Q What did you do after retirement? 

A I got hired at unit Central Command working 

as a command paralegal manager . 

Q What do you do as command paralegal 

manager? 

A I oversee office, manpower, budget IT, 

small (INAUDIBLE) . 

Q And where are you assigned? 

A I am at US Central Command down at Tampa. 

Q How much do you work with classified 

information at that position? 
A On a daily basis . 

Q What are some of the ways you work with 
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classified information? 

A Documents, e-mails, receive a lot of 

e-mails that are classified. Handling documents, 
drafting documents that will be classified. 

Q How do you identify classified information? 

A For a document it would be at the top and 

bottom of a page marked what the classification level 
is . 

Also you'll see paragraphs that are marked 
appropriately so you might have one paragraph that ' s 
unclassified and the next paragraph would be the 
classified marking. 

Q When did you first become involved in this 

case? 

A Approximately three years ago I ' d say . 

Q Let ' s talk a little bit about your work 

with the CENTCOM website . What do you do for the 
CENTCOM website? 

A I'm the Sharepoint portal manager. 

Q What is Sharepoint? 

A SharePoint is a Microsoft product 
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collaboration tool that our command uses for 
information, sharing and storage of documents . 

Q What do you do to manage it? 

A I initially — when we went to our newest 

Sharepoint version I built the sites, the look, and 
feel of them. And then I post documents out there, set 
up folders, set up different libraries for our 
different sections in our office that they can then use 
to, you know, as they see fit for their sections. 

Q What version of SharePoint was the CENTCOM 

website running in 2009, 2010? 

A It would have been SharePoint 2007. 

Q How long have you been working with 

SharePoint at CENTCOM? 

A When I initially got there in 2005, active 

duty, I got there 2005 and then we started using 
SharePoint probably late 2007, 2008 timeframe. 

Q Who had access to the CENTCOM website in 

2009 and 2010? 

A The CENTCOM overall website? Anybody who 

had access to it, had SIPR access, could get onto 
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CENTCOM sites and had a lot of information from our 
components that they could get on there, get 
information if they needed to. 

Q Specifically what portion do you manage? 

A I manage the SJA, the Staff Judge Advocates 

portal site . 

Q Who had access to that SJA portal site in 

2009, 2010? 

A For the home page anybody who had access to 

the CENTCOM SIPR page could get access to our home 
page . And then we had a legal document library that 
was in there that was open to the public . And then we 
had a few other sites that we had blocked out some 
other permissions just for personnel site in our 
office . 

Q What kind of information was in the legal 

document library? 

A We just tried to put a lot of information 

out there for our people that were out in the fields, 
just a lot of references, checklists, maybe AMHS 
messages, FRAGOs . Just information that they might 
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need to do their duty . 

Q How often have you used this website since 

2005? 

A How often have I used it? When we started 

using it in late 2007/2008 we didn't use it as 
frequently as we do now. We use it almost exclusively. 
We had hung the documents out there over a period of 
time and so I would say, you know, on a weekly basis we 
do a little bit here and then get on it, get on the 
site and put stuff on there. 

Q How often do you personally use it? 

A Myself? Back then probably I ' d say once a 

week. I mean, to get on the CENTCOM home page portal 
site every day, that's your setting on your home page. 
On our site, you know, couple times a week I'd always 
be on it . 

Q How many portals were there in 2009/2010? 

A We had a releaseable portables and 

non— releasable portals . 

Releasable just meant that it was open to 
some of our coalition countries . When you went on 
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there it had a purple banner and it read rel . to, the 
country, Great Britain, New Zealand. 

Q What kind of information was in that 

portal? 

A On the rel. portal? It would be 

information that was either unclassified or information 
that was releasable to those countries that were out 
there . 

Q What was the non— releasable portal? 

A The non— releasable portal was for US only 

or secret, no foreign. And it was only — it was 
locked down to just those US personnel that had access 
to the SIPR. 

Q Who primarily used this portal? 

A The secret portal? Just about everybody in 

the Command tended to use the secret non-releasable 
more than the rel. It was easier that way to try to 
avoid having some sort of spillage than putting 
something on the releasable portal that shouldn ' t be 
there . 

THE PROSECUTION: We're retrieving 
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Prosecution Exhibit 91 for identification. 



BY MR. PROSECUTION: 



Q 



Mr. Moser, can you see that on the screen? 



A 



Yes . 



Q 



What is it? 



A 



It ' s a snapshot there of our non— releasable 



portal 



page, 



the CENTCOM home page there . 



Q 



How do you recognize it? 



A 



We got our leadership there in the center, 



2007 version. That was who the leadership was. 

And then at the top it has the secret 
SIPRNET. That's what it has on it. So and then the 
left-hand corner, that's the CENTCOM logo, United 
States Central Command SIPRNET . That was the home 
page . 

Q Does this accurately reflect how the 

website looked in 2009 and 2007? 
A Yes, sir. 

Q What is accessible from this web page? 

A Most of the stuff on the left side would be 

accessible to open up to the public and then there's a 



Provided by Freedom of the Press Foundation 



1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 



UNOFFICIAL DRAFT - 6/11/13 Afternoon Session 



13 

banner, it's not shown on there, that goes across it. 
It had all the different organization, all the 
different diplomats . They would have drop down menus 
that you could go to their sites as well their home 
pages . 

Q Do you recognize this document? 

THE COURT: What is that document? Is it 
part of the same exhibits? 

THE PROSECUTION : Yes . 

A That is a snapshot of our SSJA, the home 

page of the non-releasable portal . 

Q How would a user navigate to the home page? 

A From the home page they could have gone to 

the organization and seen Special Staff and JA would 
have fell underneath the Special Staff and that ' s why 
it has a non-releasable JA site there . 

Q How do you recognize it? 

A Those were personnel that were in our 

office that they have — and over on the left— hand 
side, the areas of expertise, CENTCOM legal document 
library. Post government employer. Those are all 
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stuff that were on our site. 

Q Do you recognize this document? 

A Yes, sir. That is, looks like all the 

folders that we had at the time in our CENTCOM legal 
document library . 

Q How often did you work with this library? 

A Like I said, maybe a few times a week back 

then, depending on what folder. We might get one 
document that, you know, document in it or one PDF file 
in a particular folder. 

Q Who at CENTCOM used this library primarily? 

A This is open to our command and it was open 

to those personnel, like I said, that were in theater 
that could have access to this page. This is where we 
tried to hang a lot of information out there for 
personnel to get access to. 

Q Do you recognize this page? 

A Yes, sir. That's, that was an 

investigation that we had. It was under the 
investigations library. That was our folder under the 
CENTCOM legal document library. 
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Q What was the fraud investigation? 

A It was a CIC code investigation from 

Afghanistan, casualty. 

Q When was this, when was this folder on 

CENTCOM's website? 

A Back around 2008 when we had the SharePoint 

site we started, this would be one of the folders that 
we created under the investigation folders . 

Q What was the investigations folder used for 

primarily? 

A We had put some of the investigations out 

there just kind of a storage place for documents . 

Q Who primarily accessed this? 

A Mainly it was personally in our office, 

like I said, anything under the CENTCOM legal document 
library was opened up to those US personnel that had 
access to it . 

Q How would somebody navigate to this folder? 

A Under the CENTCOM legal document library 

you would have had a folder called investigations . 
They would click on that folder and it brought up this 
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particular investigation. 



Q 



Do you recognize this document? 



A 



Yes, sir. 



Q 



What is it? 



A 



Those were subfolders under the Farah 



investigation . 



Q 



And what would have been in these folders . 



A 



It would have been information contained 



from the investigation. You see the folders' names and 
e-mails and logistics of the people that were 
investigating or e-mails from investigation briefs. 
There's videos, which would contain videos of the 
investigation . 

Q When would this folder have been on the 

CENTCOM website? 

A During the same time it was created when 

the Farah investigation folder was started. 

Q Who had access to it? 

A Once again, the same personnel. It's been 

open to those personnel that had access to the CENTCOM 
non-releasable portal site . 
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Q Do you recognize this? 

A Yes, sir. 

Q What is it? 

A Those were folders, zip files that had 

videos in it that were included in the, they're under 
the video folders of the Farah investigation. 

Q Why were they there? 

A They were there as part of the whole 

investigation that was out there on the site. 

Q What does the icon to the left of BE22PAX 

indicate? 

A The icon underneath the type? 

Q Yes. 

A That was a zip file that contained the 

videos inside of that folder so if you click on that it 
takes you to where the video was; BE22 was the video. 

Q Were they protected? 

A No, sir. 

Q By password? 

A Should have been able to access them. 

Q When would this be on the website? 
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A 



Same time the investigation was completed, 



2008 somewhere . 



Q 



Who had access to it? 



A 



Same person that had access to the CENTCOM 



library, the CENTCOM home page. 



Q 



Mr. Moser, was that file, the zip file, 



protected? 



A 



The file, it is protected now. I don't 



know. I can't recall back then if it had a password on 
it at that time. We downloaded the whole investigation 
we put on this portal site, so. 

THE PROSECUTION: Your Honor, the 
government moves to admit Prosecution Exhibit 19 for 
admission into evidence. 



THE DEFENSE: No objection, ma'am. 

THE COURT: Exhibit 91 for identification 



May I see it? 

THE DEFENSE: Cross-examination? 

THE COURT: Yes, sir. 

CROSS EXAMINATION BY THE DEFENSE: 
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Q Good afternoon, Mr. Moser . 

A Yes, sir. 

Q The use of SharePoint in CENTCOM, that was 

something that was directed to be used? 

A Each division or section could use it as 

they see fit. Some people use it as a collaboration 
tool, some use it as storage site, as you see fit. 
Back then it wasn ' t a mandate that you had to use it . 

Q You said, when you talked to Captain Fein, 

you go on the website fairly frequently? 

A I do. 

Q Do you ever go to any other staff sections? 

A Are you talking currently? 

Q No, let's go back in 2009, the same 

timeframe that Captain Fein was talking about? 
A Yes, sir. 

Q You went on those other sections? 

A I went on others; yes, sir. 

Q Not to force you to do a class on the 

structure of the Central Command, but the Central 
Command is a very robust headquarters, correct? 
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A Yes, sir. 

Q It has all the normal staff sections that 
you would associate with the headquarters of that size? 

A Correct . 

Q Personnel? 

A Jl we called it . 

Q J2 with intelligence? 

A Correct . 

Q Plans J5, J3 current operations? 

A Yes, sir. 

Q All of those. And would you have occasion 
in this time period to go to those particular pages? 

A Yes, sir. A lot of times if I do legal 



research, for example, I would go on the J3 ops, on the 
site I had I could do research on FRAGOs or op orders 
or things like that . A lot of information like that 
was out on the other sites I can get to . 

Q And the robust use of SharePoint, the use 

of SharePoint anyway was something that all staff 
sections were doing, hanging information on there, 
using it for their own use or hanging out there for 
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anyone that could get on the site? 

A They would push stuff out there. Like I 

said, each section controlled the permission level . A 
lot of stuff I wouldn't have access or know it was out 
there . I might not see it . I wouldn ' t know what other 
sections — stuff I couldn't see I wouldn't know what's 
out there . 

Q Right. You wouldn't know until you get 

into — 

A Until somebody gave me permission or told 

me about a site and I could ask for permission to get 
to it . 

Q But you assume you had permission, that you 

could go on there and conduct your legal research or 
looking at operations orders or FRAGOs or weather or 
whatever? 

A You could — the way SharePoint works, you 

lock down permission level. And I do a search, it 
won ' t pull up search on the sites that I don ' t have 
access to. You won't know a sites exists if you don't 
have certain permission levels . You go to the right 
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side and you might not. see a folder where somebody else 
that has permission would have the folder on that 
particular site. 

THE DEFENSE: Thanks, Mr. Moser . 

THE WITNESS: Yes, sir. 

THE COURT: Redirect? 

THE PROSECUTION: No, Your Honor. 

THE COURT: Temporary or permanent excusal? 

THE PROSECUTION : Temporary . 

THE COURT: Mr. Moser, you're temporarily 
excused. Please don't discuss your testimony or 
knowledge of the case with anyone other than counsel or 
the accused. 

Please call your next witness . 

THE PROSECUTION: United States offers of a 
stipulation for the record. Stipulation of expected 
testimony is going three in a row, Your Honor, PE73 
prosecution Exhibit 74 and Prosecution Exhibit 75. 

THE COURT : Thank you . 

(Whereupon, Prosecution Exhibit 73, the 
stipulated testimony of James Fung, was read into the 
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record. ) 

THE PROSECUTION: The United States calls 
Special Agent Dave Shaver . 
Whereupon, 

DAVID SHAVER, 

called as a witness, having been previously duly sworn 
to tell the truth, the whole truth, and nothing but the 
truth, was examined and testified as follows: 

DIRECT EXAMINATION BY THE PROSECUTION: 
Q You can have a seat in the chair. You are 

still under oath. 

Did you examine an image of a computer 
seized from an individual Jason Katz? 
A Yes, I did. 

Q Why were you asked to examine the computer? 

A To determine the presence of a file called 

B dot z ip . 

Q Before you began your examination, did you 

ensure that the examination was forensically sound? 

A Yes, sir. I verified the hash values 

matched and I started my examination. 
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Q And first, before we get into the B dot 

zip, what kind of computer was this? 

A Sir, there was a Linux computer. 

Q What is that? 

A Sir, that's just an operating system. 

Q Did you find the B dot zip file? 

A Yes, sir; I did. There was one user 

account on the computer. The user name was Kupo, 
K— U— P— O, within that user profile, the file b dot zip 
was present . 

Q Can you please tell us about b dot zip? 

A Yes, sir. 

Q Did this zip file have any security 

protections on it? 

A Yes, sir. It was — it had a password. 

Q What do you mean? If it had a password, 

how would I open this file essentially? 

A Sir, it was a zip file so if you double 

click on it, it would ask you for the password. 

Q Now, if I double clicked on the zip file, 

would I be able to see the contents of the file? 
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A You can see the file listing, yes, sir; but 

not actually, you couldn't actually see the movie 
inside . 

Q So if I tried to double click on the movie 

inside I wouldn't be able to open it? 
A Correct . 

Q And how complicated was this password? 

A Sir, the password was complicated. It had 

both upper case, lower case, numbers and symbols within 
the password. 

Q And how did you get the password to open 

this file? 

A The password was provided to me by another 

CCIU agent . 

Q And where had that password been collected 

from? 

A CENTCOM itself. 

Q What was inside the b dot zip file? 

A There was a movie file, BP AX number 22 dot 

WMV. 

Q What is dot WMV? 
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A It's a Windows movie file, sir. 

Q And have you seen this movie file before? 

A I had, sir. 

Q And when had you seen this movie file? 

A Sir, in examination of the CENTCOM server, 

SharePoint Server itself, I noticed it there and viewed 
it there as well . 

Q Where on the CENTCOM server? 

A There ' s a folder concerning the S JA 

investigations on a subf older called Farah . 

Q I'm retrieving what's been admitted as 

Prosecution Exhibit 65 . 

If I can ask you to move over to the panel 
box and if you would just sit in there. 

A Yes, sir. 

THE COURT: Is that Prosecution Exhibit 65? 
THE PROSECUTION: 65. 

Q I'm handing you Prosecution Exhibit 65. If 

you would just take a couple moments to look through 
it. 

(Witness reading.) 



Provided by Freedom of the Press Foundation 



1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 



UNOFFICIAL DRAFT - 6/11/13 Afternoon Session 

27 

Q Do you recognize that document? 

A Yes, sir; I do. 

Q What is it? 

A It ' s a file listing of the contents of the 

Farah investigation folder. 

Q What does a file listing tell you or show 

you? 

A The file names and folder of that 

directory . 

Q Just using that can you find where the 

B22PAX.wmv, where that movie file was located, using 
the file listing? 

A Yes, sir. 

Q And where is it? 

A It's at the end, sir, it's in alphabetical 

listing. The folder is under a folder called videos 
and it ' s — 

Q Is there a subf older under videos? 

A No, it's Farah videos and then the file 

name is BE22PAX. 

Q So the WMV is within the dot zip? 
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A Yes, sir. 

THE COURT : Yes . 

THE DEFENSE: The defense will stipulate 
the video on the (INAUDIBLE) is the same if that's 
where prosecution is going. 

THE PROSECUTION : That ' s where we ' re going . 

THE COURT: Okay. 

THE PROSECUTION: Just a couple more 

questions . 

BY THE PROSECUTION: 



Q Did you watch the BE22PAX.wmv? 

A Yes, sir. 

Q What did the movie depict? 

A It depicted a aircraft over a battle space . 

Q Did this particular movie file depict any 

airstrikes? 

A No, sir. 

Q Did you observe any explosions in this 

movie file? 

A No, sir. 

Q How do you know? 
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A I watched it . 

Q You watched both versions? 

A Yes, sir. 

Q Was there any metadata associated with the 

dot zip file on Mr. Katz ' s computer? 
A Yes, sir. 

Q Can you explain what metadata is first 

before you answer? 

A Yes, sir. Metadata is information on 

information. In this case it would be, I believe 
you're talking about the file creation date. 

Q Yes, sir. 

A The file creation of this file was 15 

December 2009. 

Q And what does that mean to you? 

A That means someone copied the file on this 

computer on 15 December 2009. 

Q And during your examination of this 

computer, did you observe any other activity of 
interest? 

A Yes, sir. There was a, the user of this 
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account was attempting to decrypt the file or get the 
password of the zip file. 

Q How do you know? 

A From a few things . There ' s a folder 

called, it was a history file that captured the 
commands are issued, the downloading of an open source, 
password cracking utility and several dictionaries to 
help facilitate the password cracking. 

Q Why would the dictionaries help facilitate 

password cracking? 

A Dictionary (INAUDIBLE) is a common 

methodology for decrypting files . It would use words 
or generate common words and use that as a source to 
get the passwords . 

THE COURT: Cross-examination? 

THE DEFENSE: One minute, Your Honor? 

THE COURT : Yes . 

CROSS-EXAMINATION BY THE DEFENSE: 
Q Just a few questions for you. 

A Yes, sir. 

Q You testified on direct that you compared 
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the video on the Jason Katz ' s computer to the video on 
the CENTCOM server? 

A Yes, sir. 

Q They were both on the Katz computer and the 

CENTCOM server, both of those files were in the zip 
folder? 

A Correct . 

Q And the zip folders had different hash 

values? 

A That ' s correct . 

Q But the video inside, those had the same 

hash value? 

A Yes, sir. 

Q So it ' s possible for the zip folder to have 

a different hash value but then the files inside to 
have the same hash value? 

A Yes, sir. 

Q And you testified that Jason Katz somehow 

placed that file on his computer on 15 December, 
correct? 

A The user account did, yes . 
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Q But you don't know how it got there? 

A No, sir. 

Q It could have been a CD, it could have 

been — it could have been a CD? 
A Yes, sir. 

Q It could have been a download? 

A Anything is possible. 

Q So there are a lot of different ways that 

that file could have been placed on the computer? 
A Yes, sir. 

Q Now, when you were performing your forensic 

examination of Mr. Katz's computer, you found something 
called a secure shell on there, correct? 

A Correct . 

Q Could you explain for the court what a 

secure shell is? 

A That is a secure communication method. 

It ' s an encrypted tunnel between two different 
computers . One can issue commands from one computer to 
another . 

Q So a secure shell would allow, could 
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potentially allow a person— to— person to communicate 
between their system at work and the system at home for 
example? 

A Sure . 

Q Now, when you were performing the forensics 

on Mr. Katz's computer you looked at everything, 
correct? 

A Yes, sir. 

Q You looked at e-mails? 

A I searched the whole drive; yes, sir. 

Q You searched the whole drive and when you 

were doing your forensic examination of Mr. Katz's 
computer, you looked for things related to my client, 
correct? 

A Yes, sir. 

Q But you didn't find anything related to my 

client, correct? 

A That ' s correct . 

Q There weren't e-mails between Mr. Katz and 

PFC Manning? 

A Correct . 
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Q There weren't chats between Mr. Katz and 

PFC Manning? 

A Correct . 

Q And in fact your investigation revealed 

absolutely no connection whatsoever between Jason Katz 
and my client? 

A That is correct . 

THE DEFENSE : Nothing further . Thank you . 

THE COURT: Redirect? 

THE PROSECUTION: No, Your Honor. 

THE COURT: All right. Once again, you are 
temporarily excused. Please don't discuss your 
testimony or knowledge of the case with anyone other 
than counsel or the accused. 

THE PROSECUTION: Your Honor, I have the 
stipulation of the expected testimony of Mr. Wyatt Bora 
dated 10 June 2013. 

THE COURT: That's Prosecution Exhibit? 

THE PROSECUTION: Prosecution Exhibit 115. 

THE COURT : Thank you . 

(Whereupon, Prosecution Exhibit 115, the 
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stipulated testimony of Wyatt Bora, was read into the 
record. ) 

THE PROSECUTION: The stipulation of 
expected testimony of Mr. Patrick Hoeffel dated 10 
June 2013. Prosecution Exhibit 116, ma'am. 

THE COURT: Okay. 

(Whereupon, Prosecution Exhibit 116, the 
stipulated testimony of Patrick Hoeffel, was read into 
the record . ) 

MR. FEIN: I have two more stipulations of 
expected testimony, PE113 and PE78. 113 and 78. 
THE COURT : Thank you . 

(Whereupon, Prosecution Exhibit 113, the 
stipulated testimony of Deborah van Alstyne, was read 
into the record.) 

THE PROSECUTION: Ma'am, the United States 
moves to admit what has been marked as Prosecution 
Exhibit 40 for identification. This is Prosecution 
Exhibit 40. 

MR. HURLEY: No objection. 

THE COURT: All right. Prosecution Exhibit 
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4 for identification is admitted. 

THE PROSECUTION : Ma ' am Prosecution Exhibit 
7 8 stipulation of expected testimony Special Agent Mark 
Mander 9 June 2013. 

(Whereupon, Prosecution Exhibit 78, 
stipulated testimony of Special Agent Mark Mander, was 
read into the record.) 

THE PROSECUTION: Prosecution Exhibit 92 
for identification is the SD card, item 2 of DN162— 10. 

Your Honor, United States moves to admit as 
evidence Prosecution Exhibit 92 for identification as 
Prosecution Exhibit 92 . 

THE DEFENSE: No objection. 

THE COURT: May I see it, please. 

THE PROSECUTION: Your Honor, may I have a 

moment ? 

Your Honor, may we actually mark this 
during the next recess? 

THE COURT : Yes . 

Prosecution Exhibit 92? 

THE PROSECUTION: Yes, ma'am. 
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We're ready to call the next witness. 

THE COURT: Looking at the time, do you 
want to take a brief recess right now? 

THE PROSECUTION: Yes, Your Honor. Well, 
ma'am, we can but we're going to ask for another recess 
after this next recess to reset the evidence. 

THE COURT: Is this witness going to be 

very long . 

THE PROSECUTION: No, this is the 
examination of the SD card. 

Then Special Agent Shaver is being called 
but (INAUDIBLE) we need a recess. 

THE COURT: And you would like a recess now 

anyway? 

THE DEFENSE: Actually, if it's just the SD 
card, once they put the witness on the stand, we would 
stipulate to the SD card and its contents . So if that 
would speed up the government's (INAUDIBLE) . 

THE PROSECUTION: The contents are 
important, Your Honor, so are the dates of the creation 
of the files . 
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THE COURT: Go ahead and call your witness. 

THE PROSECUTION: United States calls 
Special Agent David Shaver. 

THE COURT: Mr. Coombs, tell me one more 
time what the defense is going to stipulate to? 

MR. COOMBS: We would stipulate to the 
contents of the SD card. So if Agent Shaver is being 
called to say what was on the SD card, we would 
stipulate that as accurate. 

THE COURT: Go ahead and call the witness. 

Mr. Shaver, you're reminded you're still 

under oath . 
Whereupon, 

DAVID SHAVER, 

called as a witness, having been previously duly sworn 
to tell the truth, the whole truth, and nothing but the 
truth, was examined and testified as follows: 

REDIRECT EXAMINATION BY THE PROSECUTION: 

Q Agent Shaver, do you recall examining a SD 

card at (INAUDIBLE)? 

A Yes . 



Provided by Freedom of the Press Foundation 



1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 



UNOFFICIAL DRAFT - 6/11/13 Afternoon Session 



39 

Q Who requested that? 

A One of the agents did. 

Q Did you examine the actual SD card itself 

or an image of the SD card? 

A Sir, I checked out the evidence from the 

evidence room, created a forensic image, verified the 
forensic image and checked the evidence back in. I 
worked off the image file. 

Q Agent Shaver, what did you find in the 

unallocated space on the SD card? 

A I found several pictures, partial movies 

and text files . 

Q What were the text files? 

A They were pertaining to the CIDNE documents 

and the SigActs . 

Q And what was found in the allocated space 

on the card? 

A Sir, there was one file, yadda dot star dot 

bz2 dot NC. 

Q Where was this found on the SD card? 

A There was a folder called DCIM. 
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Q What is a DCIM? 

A Sir, that's a standard folder that's 

created by digital cameras . 

Q What is it used for? 

A It is for organization of photos . 

Q I'm going to show you what ' s been marked as 



Prosecution Exhibit 105 for identification. 
(INAUDIBLE) . 

I hand the witness what ' s been marked as 
Prosecution Exhibit 105 for identification. 

Do you recognize that? 
A Yes, sir; I do. 

Q What is it? 

A Sir, it's a screenshot I created of the 

file yadda dot tar dot bz2 dot NC and the creation 
date . 

Q How do you create a screenshot? 

A Sir, this is actually a screenshot of 

EnCase forensic program. 

MR. FEIN: Permission to publish, Your 

Honor? 
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THE COURT: Go ahead. What is that noise? 
MR. FEIN: Ma'am, it's the projector 
turning on and off. 

Q Agent Shaver, can you identify on the 

screenshot the file you're referring to? 
A It's the file in the middle. 

Q And just let's go through the file itself. 

What does the MC on the end of that file 

mean? 

A Sir, that's, it's a default standard file 

naming for a file which has been encrypted using the M 
crypt software . 

Q What does M crypt stand for? 

A That's an open source utility to encrypt 

files . 

Q And when you say encrypted, how would you 

open this file? 

A You needed a password. 

Q And were you able to open this file? 

A Yes, sir; I was. 

Q What password did you use? 
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A Sir, I used a password PFC Manning provided 

to Mr. Lamo in the chats. 

Q And what date was this file created? 

A January 30th, 2010. 

Q And how do you know that? 

A Because that's what the date is shown here, 

sir . 

Q What date are you referring to? 

A The file created date, sir. 

Q And when you opened this file, what was 

contained within? 

A Sir, there were four files contained 

therein . 

Q I'm handing Prosecution Exhibit 105 for 

identification back to the court reporter, and 
retrieving Prosecution Exhibit 50 for identification. 

I ' m handing you what ' s been marked as 
Prosecution Exhibit 50 for identification. 
Do you recognize that? 
A Yes, sir; I do. 

Q What is it? 
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A It ' s a screenshot I've created of the 

contents of the file. It shows the file, the four 
files contained therein and the last written date. 

Q And how is that created? 

A Sir, it's a screenshot of the EnCase 

forensic software. 

Q Permission to publish? 

THE COURT: Go ahead. 

Q We don't need to necessarily go through, 

well, actually let's briefly go through the top file. 
AFG underscore (INAUDIBLE) what was contained in that? 

A Sir, that was approximately 91,000 complete 

SigActs pertaining to the Afghan theater. 

Q And what date was that file created? 

A Sir, that was, like I say, the file — 

because the file was encrypted and the files were 
zipped up, the actual creation date was lost, but the 
last written date remains . 

Q What does the last written date tell you? 

A That ' s the last time the file was written 

to or updated. That date would be January 8th, 2010. 
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Q Again, go down to the next file. IRQ 

underscore events dot (INAUDIBLE) what was in that 
file? 

A Sir, approximately 390,000 complete SigActs 

pertaining to, from CIDNE database pertaining to the 
Iraq theater. 

Q What date was that last, that file last 

written? 

A It was January 5th, 2010. 

Q And finally, the file README . txt , what was 

contained in that file? 

A Sir, that was kind — just a text file 

contained some information about the two CSU files . 

Q What about that last file? 

A Sir, that's a temporary file. It was 

written by, created by the Macintosh operating system. 
No important information in there except it shows that 
Macintosh was used to create it . 

Q When was the README . txt file last written? 

A Last written January 9th, 2010. 

Q I'm handing Prosecution Exhibit 50 for 
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identification to the court reporter. 

THE COURT: Before you do that, I didn't 
catch the number for the first file. 

THE WITNESS: Afghan? 

THE COURT: Whatever the first file was. 
THE WITNESS: Approximately 91,000. 
THE COURT : Thank you . 
BY THE PROSECUTION: 

Q I'm showing Prosecution Exhibit 42 for 

identification . 

I'm handing the witness what's been marked 
as Prosecution Exhibit 42 for identification. Agent 
Shaver, do you (INAUDIBLE) what it is? 

A That is the README . txt file. 

Q Generally (INAUDIBLE) , what does the text 

file describe? 

A It describes the files, the CIDNE 

documents . The Iraq and Afghanistan significant 
activities, SigActs . 

THE PROSECUTION: Permission to publish the 
report, Your Honor? 
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THE COURT : Yes . 
Q Is that an accurate representation of the 

file you just looked at? 
A Yes, sir. 

THE PROSECUTION: Your Honor, the 
Prosecution moves to admit Prosecution Exhibit 42 into 
evidence . 

THE DEFENSE: No objection. 

THE COURT: Prosecution Exhibit 42 is 

admitted. 

THE PROSECUTION: Thank you, Agent Shaver. 

THE COURT: Cross-examination? 

THE DEFENSE: (INAUDIBLE) . 

RECROSS— EXAMINATION BY THE DEFENSE: 
Q Good afternoon, Agent Shaver? 

A Good afternoon, sir. 

Q Agent Shaver, I want to talk first about — 

you talked about the contents of the SD card and you 
were talking about the file written or the file created 
date? 

A Correct . 
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Q And I believe you said the Afghan war 

diary, that was written on 8 January? 

A I would have to see that document again to 

be sure, but. 

Q Okay . 

THE DEFENSE: Can I retrieve Prosecution 

Exhibit 50? 

THE COURT: It's still 50 for 
identification . 

THE DEFENSE: 50 for identification. Thank 

you , ma ' am . 

Permission to publish this, Your Honor. 
THE COURT: Yes. 
BY THE DEFENSE: 

Q Agent Shaver, we have got the Afghan events 

dot CSC file and last date written 8 January? 
A Correct . 

Q Would you agree with me that date could be 

associated with when that file was placed on the SD 
card? 

A No. Maybe. I'm sorry, sir, I don't — 
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(INAUDIBLE) it was contained within a zip file. 

Q Okay. Is it possible that that, that the 

last written date changed when the file was put on the 
zip, on the SD card? 

A Could, yes, sir. 

Q So it doesn't necessarily mean that that's 

the last time the file was added to or changed the 
substance of that document? 

A It's possible; yes, sir. 

Q And the same would of course then be true 

for the others? 

A The others . 

THE DEFENSE: Returning Prosecution Exhibit 
50 for identification. 

Q Now, those files were in a zip file, 

correct? 

A Yes, sir. 

Q And that was, that had a password? 

A Yes, sir. 

Q And it was encrypted. 

And you testified that you received the 
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password or you got access to the password through the 
chats? 

A Right . 

Q Between PFC Manning and Mr. Lamo; is that 

correct? 

A Uh— huh. Yes, sir. 

Q Now, the password that was discussed in 

those chats was actually for PFC Manning's AKO account, 
wasn't it? 

A I believe so, yes. 

Q So it was just kind of luck that that 

password also opened this file? 

A It is what it is, sir. It's the same 

password. 

Q Okay. Fair enough. It wasn't in the chat, 

it wasn't identified as, hey, here's the password for 
this encrypted file? 

A Yes, sir; you're correct. 

Q It was identified as here's the password 

for my AKO account? 

A Correct . 



Provided by Freedom of the Press Foundation 



1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 



UNOFFICIAL DRAFT - 6/11/13 Afternoon Session 



50 

Q Okay . 

Now, once you, you use that password to get 
into the encrypted file and you got those CSV files, 
what did you do with those? 

A I extracted them and I provided them to the 

case agent . 

Q When you extracted them, what did you put 

them in? What program did you use? 

A I extracted them and gave them as is, I 

didn ' t , you can open with Excel . 

Q Okay . So you can open those with an Excel 

document and you gave those to the case agent . 

I'd like to retrieve what's been marked as 
Defense Exhibit Echo for identification. 

And Agent Shaver, I'll ask you to move over 
here to the panel box . 

I ' m handing betweens Exhibit Echo for 
identification to the witness. 

Agent Shaver, please look at that document . 
What is that? 
A Sir, this is a SigAct . 
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Q How do you know that? 

A Sir, I created this. I extracted the 

SigAct from the CIDNE, one of these files, I'm sorry, I 
forget the file name. 

Q Was it from the Iraq events? 

A Yes, sir. 

Q How did you go about creating that file? 

A Sir, I copied — each line of the CSV is a 

complete SigAct. I highlighted a specific line, copied 
it . I put it into notepad which I removed all 
formatting. I then recopied it from notepad into 
Microsoft Word. Printed this and initialed it. 

THE DEFENSE : Can I have a moment , Your 

Honor? 

THE COURT : Yes . 
(Pause . ) 
BY THE DEFENSE: 

Q Agent Shaver, what's the date on that 

SigAct? 

A 30 December 2009. Am I reading the right 

place? 
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THE DEFENSE: Permission to approach? 
THE COURT : Yes . 
Q Agent Shaver, what's the date on that? 

A Sorry, December 24, 2009. 

Q Okay . And without answering in a 

classified manner, what's the general, what sort of 
incident does that report? 

A Appears IEDs explosion. 

THE DEFENSE: I'm going to retrieve Defense 
Exhibit Echo for identification and offer it as Defense 
Exhibit Echo . 

THE COURT: All right. Yes? 

THE PROSECUTION: No objection, Your Honor. 
THE COURT: Okay. Getting late in the day. 
I think I will need that recess. 
Defense Exhibit Echo for identification is 

admitted. 

THE DEFENSE: Agent Shaver, thank you. 
That ' s all the questions I have . 

THE COURT: Redirect? 

THE PROSECUTION: Yes, Your Honor. 
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REDIRECT EXAMINATION BY MR. MORROW: 
Q Agent Shaver, I'm going to ask you, without 

pulling out Defense Exhibit Echo again — if you would 
move back to the witness stand, please — when you read 
that SigAct, was any information redacted? 
A No. 

Q So the units were identified? 

A Yes . 

MR. HURLEY: Objection. Leading. 

THE COURT : Overruled . 
Q Was any information redacted? 

A No, sir. 

Q Was any information replaced by markers? 

A I did not see any . 

MR. MORROW: No further questions. 

MR. HURLEY: None, ma'am. 

THE COURT: All right. Temporary excusal? 
MR. FEIN: Yes, ma'am. 

THE COURT: Once again, you are temporarily 
excused. Same rules apply as before. 

THE WITNESS: Yes, ma'am. 
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MR. FEIN: The United States asks for a 

recess . 

THE COURT: The court is in recess until 

15:35, 3:35. 

(Court in recess.) 

THE COURT : Court is called to order . 
Can you account for the parties? 
MR. FEIN: All parties are in the court at 
last recess with the exception of Captain von Elten . 

THE COURT: Is the government ready to 

proceed? 

THE PROSECUTION: Government calls Special 
Agent Shaver . 

REDIRECT EXAMINATION BY THE PROSECUTION: 
Q I just want to remind you you're still 

under oath . 

Agent Shaver, I'd like to discuss your 
examination of a couple of SIPRNET computers . The 
first, what were the IP addresses of the SIPRNET 
computers you examined in this case? 

A I examined several but primarily two, dot 
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22 and dot 40 . 

Q When you say dot 22 what are you referring 

to? 

A The IP address, the internet protocol 

address . 

Q What was your process for examining this 

computer? 

A The process was to verify the hash values 

and make sure it was an accurate image . And then start 
conducting examination to see what's there. Search 
both the allocated and unallocated spaces . 

Q Did you verify the hash values? 

A Yes, I did. 

Q Now, with respect to the dot 22 computer, 

what did you look for first, what were you looking for 
first? 

A I was looking to see what files were 

present. First off, was there a Bradley dot Manning 
user profile. 

Q Did you find one? 

A Yes . 
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Q What do you mean by what files were 

present? 

A I wanted to see what files were present 

within the user profile. Again at this time I hadn't 
been given the chat log so I was looking at things 
concerning the Department of State and things like 
that . 

Q And when you say present, are you referring 

to allocated files? 

A Yes, sir; I am. 

Q And now, what kind of web browser was under 

PFC Manning's profile? 

A There were two . 

Q What were the two? 

A Internet Explorer and Firef ox . 

Q What was the configuration of the Internet 

Explorer web browser? 

A There was a standard Army build where the 

user can surf the web but could not clear the internet 
history . 

Q And where does a computer keep internet 
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history? 

A For Internet Explorer it keeps it in a user 

profile called index dot dat file. 

Q What does that file contain? 

A Times and dates, files accessed either 

locally or remotely and IPs address. 

Q You said files accessed. What do you mean 

by that? Describe how the computer would log some 
action on the computer in the — or action by the user 
in the index dot dat file? 

A If it went to a web page, it would log it 

as a web page. If he went to CNN.com, it would be 
there. If he double clicked on a Word document that 
would be there as well . 

Q You said this computer had a Firefox web 

browser? 

A Yes . 

Q How that was configured (INAUDIBLE)? 

A That was configured to run in privacy 

browsing mode wherein no user history would be 
maintained . 
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Q And what was the home page of the Firefox 

web browser? 

A Intelink. 

Q Now, you were looking for the files that 

were present on the computer. Did you find any files 
that seemed to be odd or at least were pertinent to the 
investigation as you knew it at this point? 

A Yes, sir. 

Q What did you find? 

A Within the user profile Bradley dot Manning 

there was a folder called blue and within there there 
was files dot zip. The files dot zip contained over 
10,000 complete Department of State cables. 

Q So let's, we'll take each of those in turn. 

I'm retrieving what's been marked as 
Prosecution Exhibit 104 for identification. 

I'm handing the witness what's been marked 
as Prosecution Exhibit 104 for identification. 

A Yes, sir. 

Q Agent Shaver, do you recognize that? 

A Yes . 
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Q What is it? 

A It ' s a screen shot I created of the folder 

blue that contains deleted files and file creation 
dates . 

Q And is the folder blue? 

A Yes . 

Q How would you create a screen shot? 

A This is a screen shot of then case program 

which allows you to see the allocated and unallocated 
deleted files . 

THE PROSECUTION: Permission to publish? 
THE COURT: Okay. 
BY THE PROSECUTION: 

Q Agent Shaver, can you point out the files, 

essentially the files that you just talked about 
earlier? Let's start with backup dot XLSX. 

A Yes, sir. 

Q Generally, what was in that file? 

A Sir, that was a Excel spreadsheet with 

three tabs. The tabs were 0310-0410, the next tab 0510 
and the last one was WJ. 



Provided by Freedom of the Press Foundation 



1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 



UNOFFICIAL DRAFT - 6/11/13 Afternoon Session 



60 

Q And you also mentioned files dot zip? 

A Correct . 

Q What was in files dot zip? 

A Files dot zip contained, actually it was a 

partially corrupted zip file that contained over 10,000 
complete Department of State cables . 

Q And when you say partially corrupted, what 

do you mean by that? 

A Something went wrong when this zip file was 

created. I don't know what, but I can tell you a 
normal user when they tried to view it, winzip would 
give you the error, this file is corrupted you cannot 
view it . Using the EnCase forensic software it still 
allowed me to view the contents . 

Q And — okay . What was the format of 

Department of State cables in files dot zip? 

A HTML. 

Q What is HTML? 

A It ' s a web page . 

Q I will show you what ' s been marked as 

Prosecution Exhibit 101 for identification. 
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I'm handing the witness what's been marked 
as Prosecution Exhibit 101 for identification. 
(Witness reading.) 
A Yes, sir. 

Q Agent Shaver, do you recognize that? 

A Yes, sir; I do. 

Q What is it? 

A It ' s the contents of the backup dot XLSX 

file. 

Q What is XLSX? 

A That is Office Excel document. 

THE PROSECUTION: Permission to publish 
with the court, Your Honor? 

THE COURT: Okay. 
BY THE PROSECUTION: 

Q Agent Shaver, is this the top of the Excel 

file or the bottom of the Excel spreadsheet? 

A It appears to be the bottom. 

Q Let ' s go through the tabs . You said 

there's a (INAUDIBLE) tab. I see. 0310 and 0410, what 
does that contain? 



Provided by Freedom of the Press Foundation 



1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 



UNOFFICIAL DRAFT - 6/11/13 Afternoon Session 



62 

A Those contain the Department of State 

cables which had been published by the various 
embassies throughout the world for the March and 
April 2010 timeframe. 

Q What does the 5010 tab contain? 

A Similar files . They were Department of 

State cables published by various embassies throughout 
the world for May 2010. 

Q When you said Department of State cables, 

was it the full cables? 

A Yes — no, sir, these were, no, sir, they 

were not . 

Q What did this spreadsheet — 

A Sure, the first left number was a tracking 

number created by the user. The date and time, again, 
of the file apparently when it was retrieved. The 
embassy, the embassy's cable name and the embassy's 
common name and the classification marking. 

Q I'm going to show you what ' s been marked as 

Prosecution Exhibit 102 for identification. 

Agent Shaver, do you recognize that 
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document ? 

A Yes, sir; I do. 

Q What is it? 

A Again, this is a same backup XLSX file. 

Q And how is that document created? 

A This is a, just a screen shot, from Excel. 

Q What's the number on the top left? 

A The ID number, sir, is 251288. 

Q And I'm going to show — 

THE PROSECUTION: Permission to publish, 

Your Honor? 

THE COURT: Go ahead. 
BY THE PROSECUTION: 

Q What was the significance in this 

investigation to 251288, the top left number? 

A The WikiLeaks had published 251,287 

documents . 

THE PROSECUTION: Your Honor, the 
Prosecution moves to admit Prosecution Exhibit 102 into 
evidence as Prosecution Exhibit 102. 

THE DEFENSE: No objection. 
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THE COURT : All right . Let me see it . 
Prosecution Exhibit 102 for identification 

is admitted. 

BY THE PROSECUTION: 

Q Let's talk about the Wget worksheet. I'm 

retrieving what ' s been marked as Prosecution Exhibit 
100 for identification. 

I'm handing Prosecution Exhibit 100 for 
identification to the witness . 

(Witness reading.) 

Q Do you recognize that, sir? 

A Yes, I do. 

Q What is this? 

A It ' s a screen shot of the Wget tab within 

the backup of the dot XLXS file. 

THE PROSECUTION: Permission to publish, 

Your Honor? 

THE COURT: Go ahead. 
BY THE PROSECUTION: 

Q Agent Shaver, can you just describe how 

someone would use Wget or how this might be used in 



Provided by Freedom of the Press Foundation 



1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 



UNOFFICIAL DRAFT - 6/11/13 Afternoon Session 



65 

conjunction with the program Wget? 

A Yes, sir. This spreadsheet, what this 

shows here is the Wget command being operated. The 
Wget-0 is the output file is the Department of State 
name and further there's the address of the website and 
what to get . 

Q What do you refer to when you said the web? 

A The MC state dot SD dot gov. 

Q NC state? 

A Yes, sir, NCD . 

Q Sorry. Keep going. So? 

A For barred slash message forward slash 

reference and there would be the Department of State 
cable itself. 

Q Now, how would you use Wget, how would you 

use a message (INAUDIBLE) number to download cables 
from the State Department? 

A That's how they're stored by message record 

number. So that's how they would be stored. If you 
would like to retrieve it, you would have to request it 
by day. 
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So in this case the first top line you can 
see that the file 10 cavara (phonetic) 1553, that cable 
is being downloaded. 

Q Okay. Now, where does Wget run from? 

A From the command line . 

Q Does it run from the server, the NCD server 

or from the computer? 

A It ' s a local computer. (INAUDIBLE) local 

computer . 

Q What other — first I'm handing the 

Prosecution Exhibits back to the court reporter. 

What other Wget related information did you 
find on this computer? 

A Within Windows prefetch files there showed 

there was prefetch files where I captured Wget being 
run from the Bradley dot user Manning profile on 
several location. 

Q What are prefetch files? 

A Sir, that ' s a Microsoft Windows feature 

whereas the Microsoft will cache parts of the 
information about a program so the next time you run 
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it, it will run faster. 



Q 



Now, you said from different locations? 



A 



Yes, sir. 



Q 



What do you mean by that? 



A 



The prefetch files, part of, what it 



captures, it also captures the path of the program. 
Within the prefetch file there are several prefetch 
files which are run from various locations within the 
Bradley dot Manning user profile . So the Wget was 
copied to various folders within and then run . 

Q Why would Wget not run from different 

folders? 

A To capture the data faster. 

Q And when did Wget appear in PFC Manning ' s 

user profile on the computer? 

A It first appeared in March 2007 or 

March 7th, 2010. 

Q And but was that, did you find that in the 

user profile? 

A No, sir. I found that through the 

prefetch. The file Wget was present in the allocated 
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space in the W dot Manning user profile before 
May 2010. 

Q What does the presence of Wget in the 

prefetch file in early March tell you when the Wget 
program was put on the computer in format? 

A It means it was, it was there prior, it was 

obviously on the computer within again the Bradley dot 
Manning user profile in March 2010 and it was 
physically located, created in May 2010 so that means 
the file was copied and placed there again . 

Q What other findings did you make regarding 

the Department of State information? 

A Sir, within the Windows temp folder there 

are two files, both have the CID (phonetic) security 
identifier of the user profile Bradley dot Manning and 
these two files each contain several hundred complete 
Department of State cables . They were in a CSV format 
but however they had been Base64 encoded. 

Q Let's start first, what is the Windows temp 

folder? 

A That is a default folder for the Windows 
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operating system to write temporary files to . 

Q And you said CSV file, what is a CSV file? 

A Sir, that's common separated value. 

Q Why would someone use a CSV file? 

A That's to, the ease of moving data around. 

CSV is a standard format for that . 

Q You also mentioned Base64? 

A Yes, sir. 

Q What is Base64? 

A That's a method of encoding. Encoding is, 

it's a way of transposing data to make it easier to 
move it. It compacts it, but it also makes it easier. 

Q Why would someone convert HTML to Base 6 4 

and embed it in CSV? 

A A CSV is a common separated value . 

Department of State cables are sentences so they would 
have commas, periods, things like that. So the comma 
separated value file only works if you use commas in 
the right location. If there's extra commas, 
everything gets spread out. It doesn't line up and 
work right . By encoding it with Base64 you alleviate 
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that problem. 

So it ' s only the commas that you tell it to 

be there . 

Q And did you search the — this was, now I 

believe we have been talking about allocated space, but 
did you search the unallocated space for the Department 
of State information? 

A Yes . 

Q What did you find? 

A I found over 100,000 complete and partial 

Department of State cables in the unallocated space . 

Q What do you mean by complete and partial? 

A 134 were complete, had not been 

overwritten. Other ones had partially been 
overwritten, so part of the file existed but not the 
complete file . 

Q I want to talk about the restore points on 

the computer. First, what is a restore point? 

A Sir, restore point is a Microsoft concept 

to make sure that your computer did not break . 

Let ' s say you load a piece of software . It 
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will create a restore point prior to installing the 
software so if there's a problem, you can go back in 
time and your computer will work again. 

If you plug a new hard drive in and it 
doesn't work and you activate the restore point and go 
back in time and it was like the hard drive was never 
actually installed so your computer continues working. 

Q And what does your examination of the 

restore points tell you about the computer generally? 

A It would show things like, it would show 

file names . Files that either did exist or had existed 
at one time within the various user profiles . 

Q Did the restore points shed any light on 

the date that the computer might have been imaged? 

A Yes, sir. 

Q Please explain. 

A The computer is approximately imaged in 

early March 2010. 

Q And what, if a computer has been imaged in 

March 2010, what does that mean to you as the forensic 
examiner? 
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A Since it had been reimaged, everything 

really pertinent, all the allocated files prior to that 
were now unallocated or overwritten. 

Q Agent Shaver, I want to talk about the 

contents of the Farah folder we discussed earlier. 

Did you find any documents related that 
were contained from the Farah folder? 

A I found some deleted jpegs which are 

graphic image files and PDF files . 

Q What about just evidence that the files had 

been clicked on or something like that? 

A Yes, sir, within the index dot dat file 

there are several hundred files named, naming 
convention would suggest there was a fraud 
investigation . 

Q What was the date of the activity on the 

index dot dat file? 

A April 10, 2010. 

Q Is the index dot dat file, is it easy to 

find as a regular user of the computer? 

A No, sir, that's a hidden file. 
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Q At what point does the computer store the 

index dot dat time? 

A It ' s a database . So to extract information 

out you need a stool, another program to extract it to 
make it easier to read for people . 

Q And in this case, what did you do with the 

index dot dat file? 

A I extracted it and put it into Excel for 

ease of review . 

Q When you extracted and put it into Excel 

did you alter the information in any way? 

A No, sir, I did not. 

Q If you had printed the entire index dot dat 

file in this Excel version, how long, how many printed 
pages would that be? 

A A lot, sir. Several hundred probably. 

Q I'm retrieving what's been marked as 

Prosecution Exhibit 128 for identification. 

I'm handing the witness what's been marked 
as Prosecution Exhibit 128 for identification. 

Just take a few moments to look at it . 
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(Witness reading.) 
Q Do you recognize that document? 

A Yes , I do . 

Q What is it? 

A Sir, that is an Excel spreadsheet I 

created. It's an extract summary of the index dot dat 
pertaining to April 10th. 

Q And how did you create this summary of the 

index dot dat? 

A Sir, I filtered on, filtered on April 2010. 

THE PROSECUTION: And permission to publish 
with the court, Your Honor? 

THE COURT: Go ahead. 
BY THE PROSECUTION: 

Q I'm going to publish just the last page of 

the Exhibit. But Agent Shaver, I'm just publishing the 
last page, but I'd like you to just describe what the 
activity you observed in the index dot dat file on this 
date is . What are you observing? 

A Sir, left to right we have obviously a line 

item number, the next one is a date in military time, 
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GMT3 hours. It's, it shows you visited. The Bradley 
dot Manning user profile, visit a file called, located 
in the documents and settings, Bradley dot Manning my 
documents downloads folder tab underscore D tab space D 
appendix — 

Q Well let ' s make this shorter . 

Let ' s look at the last line of this line 

247 . 

A Yes, sir. 

Q Of the line that ends in Farah dot set? 

A Correct . 

Q Describe the activity observed from that 

line and up leading to again Farah dot set . 

A Correct. Sir, apparently some files were, 

it shows three files. Three PDF files were visited at 
1659 hours and at 1705 a file called Farah dot zip was 
visited by the Bradley dot Manning user profile is in 
the downloads folder and so are the other documents . 

Q Now, if you look at the entire Exhibit 128 

for identification in conjunction, I mean, if you flip 
through every page, what does the activity show you, 
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what does the index dot dat capture? 

A It ' s capturing a user account Bradley dot 

Manning first visiting a website non-REL dot CENTCOM 
dot smil dot mil . Then shortly there later a lot of 
files locally on the computer. 

Q How can you tell that they ' re locally on 

the computer? 

A Again, sir, the file, if it's local it 

would be user name at file. If it was a web page, it 
would be user name at http, that means 4:05. 

THE PROSECUTION: Your Honor, at this time 
Prosection is moving to admit Prosecution Exhibit 128 
into evidence . 

THE DEFENSE: No objection, Your Honor. 

THE COURT: Prosecution Exhibit 128 is 

admitted. 

BY THE PROSECUTION: 

Q Now, if I could, I'd like to retrieve 

Prosecution Exhibit 128. 

Agent Shaver, in this time period 10 
April 2010, if you would just look, we talked about a 
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BE22PAX.zip earlier. Do you remember that? 
A Yes, sir. 

Q Do you see any videos locally on the 

computer at this time? 
A No, sir. 

Q Did you look for BE22PAX.zip? 

A I have previously. Yes, sir. It is not 

there . 

Q Now, Agent Shaver, I want to transition 

from logs collected from the CENTCOM SharePoint server. 
Did you examine logs from that server? 

A Yes, sir, I did. 

Q When was the first date captured by the 

CENTCOM SharePoint SharePoint logs? 
A 1 December 2009. 

Q So you didn't have anything prior to 1 

December 2009? 

A No, sir. 

Q Now, what type of information was captured 

in the CENTCOM SharePoint SharePoint log? 

A These are the Microsoft SharePoint logs . 
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They ' re standard Windows logs . They capture a local IP 
address making a request, date and time, and the 
activity, the file requested. 

Q Now, when you say a local IP address, what 

do you mean? 

A Sir, these logs have been configured to 

capture local IP — (INAUDIBLE) — so if a dot 22 or 
dot 40 connected that would not show up to the 
computer . It would be a local IP to the network . 

Q When you reviewed the CENTCOM SharePoint 

logs, did you observe any activity on 10 April 2010 in 
those logs? 

A I did, sir. 

Q What did you observe in the logs? 

A There was a large download of files . 

THE PROSECUTION: I'm retrieving what's 
been marked as Prosecution Exhibit 129 for 
identification . 

I'm handing the witness what's been marked 
as Prosecution Exhibit 12 9 for identification into 
evidence . 
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BY THE PROSECUTION: 

Q Take a few moments . 

(Witness reading.) 
Q Do you recognize that document? 

A Yes, sir. 

Q What is it? 

A This is a Excel spreadsheet I created from 

the CENTCOM logs pertaining to the downloads on 10 
April 2010. 

Q And approximately how many lines of 

activity are in this document? 

A Sir, there are 334 lines . 

THE PROSECUTION: I'm retrieving the 
exhibit from the witness . 

Your Honor, permission to publish? 
THE COURT: Go ahead. 
BY THE PROSECUTION: 

Q Agent Shaver, I'm just showing the last 

page of the exhibit . Can you describe the activity 
from left to right? 

A From left to right, the number on the left 
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is the line item number, the date and time. The server 
IP. And the action, the action, the download files 
downloaded . 

Q You reviewed all the activity in the 

CENTCOM SharePoint logs on 10 April; is that correct? 
A Yes, sir. 

Q I'll hand you back Prosecution Exhibit 129 

for identification. 

If you would, just please review or if you 
recall from memory, were any videos downloaded from the 
CENTCOM Sharepoint Server at this time? 

A No, sir, not at this point. 

Q How do you know that? 

A Sir, I searched for them. 

Q What were you using to search? 

A The BE22.zip, they were stored on the file 

as a zip file not as a movie zip. 

THE PROSECUTION: Your Honor, at this time 
prosecution moves to admit Prosecution Exhibit 129 for 
identification into evidence. 

THE DEFENSE: No objection, ma'am. 
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THE COURT: Prosecution Exhibit 129 for 
identification is admitted. 
BY THE PROSECUTION: 



Q Agent Shaver, you said earlier that you 

recovered or found numerous J pegs in the unallocated 
space? 

A Yes . 

Q What is that? 

A It ' s a graphic image file, picture. 

Q Do you have to use any special tool to find 

a J peg? 

A Yes, sir. 

Q What do you use? 

A We use EnCase to search for these things . 

Q When you were searching the unallocated 

space, did you find any video files in the unallocated 
space? 

A No. 

Q Did you find any video files in the 

allocated space? 

A Yes, sir. 
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Q What did you find? 

A I found several movies, two of which were 

dealing with the collateral murder . 

Q Did you find any of the videos that were 

located on the CENTCOM Sharepoint Server? 

A No, sir, I did not. 

Q Did you find any of the videos located on 

the CENTCOM Sharepoint Server in the unallocated space? 
A No, sir; I did not. 

Q Agent Shaver, I'd like to transition to the 

other SIPRNET computer. What was the IP address on 
that computer? 

A Dot 40, sir. 

Q What was your process for the examination 

of this computer? 

A Sir, I verified the hash values matched and 

I conducted my examination to answer the questions . 

Q Were you working off an image? 

A Yes, sir, I was working off an image. 

Q What was the configuration of the computer? 

A Sir, it was a Windows computer. It was a 
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United States Army computer . It was on a domain . 
There was a Bradley dot Manning user profile present . 



Q And did this computer have CD burning 

tools? 

A Yes, sir; it did. 

Q I didn't ask that question before, but did 

the dot 22 computer have CD burning tools? 
A Yes, sir. 

Q What was the CD burning tool? 

A Roxio . 

Q What is Roxio? 

A Sir, that is a CD burning utility, just a 

program to burn CDs . 

Q What happens when you burn a disk using 

Roxio? How does the Roxio program name a disk? 

A Sir, by default it names it by a date time 

group. So by default it's two-digit year, two-digit 
month and day, underscore, two-digit hour, two-digit 
minute . 

Q And that ' s the default setting? 

A Yes, sir. 
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Q Now, how do you know that that ' s the 

default setting for the way a Roxio names a disk? 

A On these computers, sir, I converted dot 22 

into a virtual machine and then I logged in and then I 
burned a disk and then I examined the naming structure 
of the disk. 

Q And again, just this was from a long time 

ago, but what is a virtual machine? 

A Sir, a virtual machine is just another 

computer running virtually within a host computer . So 
if I'm running a windows computer as a host, I can run 
a Linux or Macintosh computer as a guest . 

Q So you burned a CD using Roxio through a 

virtual machine? 

A Yes, sir. 

Q And on the dot 40 computer, what were you 

looking for? 

A Sir, I was looking for any of the similar 

items I found on the dot 22 . Were there any Department 
of State cables and things, documents along those 
lines . 
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Q And what did you find? 

A Sir, within the unallocated space I found a 

CSV file that contained over 100,000 complete 
Department of State cables in Base64 format . 

Q And you said this was in the unallocated 

site? 

A Yes, sir. 

Q And what does Base 64 look like to the human 

eye? 

A Gibberish. A through F, (INAUDIBLE) so. 

Q And these are full cables? 

A Yes . 

Q Now, by just looking at the Base64, were 

you able to tell what the original form of the file 
was? 

A No, sir. I could, I was able to decode 

them from Base64 back to record text and view the 
contents, but the original source at this point I could 
not tell . 

Q And how would someone convert let ' s say 

we're talking about a web page HTML, how would someone 
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convert a web page to Base64? 

A Because of the sheer volume of them all, I 

believe a script was used. A script would be an 
automated step program, small program. 

Q Did you find a script on this computer, on 

the dot 20 computer that would convert HTML to a 
Base64? 

A No, sir, I did not. 

Q Based on your examination of both 

computers, the dot 22 and dot 40 did one appear to be 
used more often by PFC Manning? 

A Yes, sir. The dot 22 appeared to have more 

activity . 

THE PROSECUTION: One moment, Your Honor. 

No further questions, Your Honor. 

THE COURT: Cross-examination? 

CROSS-EXAMINATION BY MR. HURLEY: 
Q Agent Shaver, good afternoon again. 

A Good afternoon, sir. 

Q Agent Shaver, I'd like to talk first about 

Wget . You spoke about Wget on direct examination? 
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A Yes, sir. 

Q Let ' s talk about it some more . 

A Sure . 

Q Now, you would agree with me that Wget does 

not give a user access to information that they 
otherwise wouldn't have access to, correct? 

A Correct . 

Q So if a user ever uses Wget on the, this CD 

database, for example, using Wget isn't going to allow 
that user to grab something they normally wouldn ' t be 
able to see? 

A You are correct . 

Q And it wouldn't, Wget wouldn't allow the 

user to circumvent any sort of restrictions that the 
NCD may place on the user? 

A Correct . 

Q So you would agree with me that Wget 

doesn't give a user any more access than they would 
have normally? 

A Correct . 

Q Now, you spoke about your examination on 
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the 22 machine and the 40 machine and you did a 
complete scrub of those machines, correct? 
A No, sir. 

Q You spoke about some of the machines you 

were looking for. You were also looking for what's 
known as the WikiLeaks most wanted list, correct? 

A Yes, sir. 

Q Something that when you were going through 

both the 22 and the 40 machine, that's something you 
were looking for? 

A Yes, sir. 

Q And let ' s talk about the 22 machine first . 

As you went over that bite by bite and bit by bit you 
never found any evidence that PFC Manning had seen 
that, correct? 

A Sir, I apologize, I don't remember exactly 

what was on the entire list . Do you have that — 

Q I guess let me clarify, I'm sorry. 

The actual list itself? 

A Right. Oh, no, sir; I did not see the 

list . 
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Q So there was no evidence that on the 22 

machine a user had viewed that list? 
A Correct . 

Q No evidence that a user ever had saved that 

list? 

A No, sir. 

Q Or printed it? 

A Yes, sir. 

Q Or done anything with it? 

A Correct . 

Q And the same would be true for the 4 

machine as well, correct? 
A Yes, sir. 

Q And the same would be true, we have heard 

testimony about a number of 2008 from WikiLeaks, you 
would agree there's no forensic evidence that on the 22 
machine that a user of that machine saw any tweets from 
WikiLeaks? 

A There should not have been since it ' s 

SIPRNET and all — 

Q Likewise, the 4 machine? 
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A Correct . 

Q No evidence of viewing any tweets? 

A Correct, sir. 

Q I want to talk about the Farah issue you 

testified about at length on direct . 

You mentioned that you saw some references 
to the Farah video in index dot dat file, correct? 

A No, sir. 

Q What did you say about the index dot dat 

registry in Farah? 

A The Farah folder. 

Q Okay . 

A I did not see anything pertaining to the 

BE22PAX.zip files. 

Q Okay . In the index dot dat there was 

evidence that the user of the 22 machine had viewed 
things related to Farah? 

A Yes, sir. 

Q Correct . Okay . 

And have you ever viewed jpegs? 

A Yes, sir. 
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Q PDFs? 

A Yes, sir. 

Q PowerPoint s? 

A Yes, sir. 

Q But there were no files you would associate 

with videos? 

A Correct . 

Q That was on 10 April? 

A Yes, sir. 

Q And there was no other evidence on the 22 

machine of viewing things or using things related to 
Farah, correct? 

A Correct . 

Q So only on 10 April, right? 

A Yes, sir. 

Q And — 

A Sorry, sir, but there's — 

Q Okay, in the Farah folder? 

A Correct . 

Q Okay . 

Now, you also talked about CENTCOM server 
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logs and a number of downloads and those downloads are 
on 10 April as well, correct? 
A Yes, sir. 

Q And those again were PDFs? 

A Yes, sir. 

Q Jpegs ? 

A Yes . 

Q PowerPoint s? 

A Yes, sir. 

Q Not videos? 

A Correct . 

Q Now, when you looked at the CENTCOM logs, 

you also looked at — you had the ability to look and 
see how many times those zip files, those video zip 
files had been viewed, correct? 

A Correct . 

Q There were three zip files on the CENTCOM 

server? 

A Right . 

Q One of them was BE22PAX.zip; is that right? 

A Yes, sir. 
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Q One of them was BE22STD1 . zip? 

A Sir — 

Q Does that sound familiar? 

A It does sound familiar. 

Q And BE22 strike 2 dot zip? 

A That sounds right . 

Q Agent Shaver, when you were doing your 

examination, were you able to determine how large those 
files were? 

A As I recall, sir, I'm sorry I don't know 

exact numbers , but about 32 megs apiece . 

Q So each individual file was around 30 megs? 

A Correct . 

Q Cumulatively around 90 megs? 

THE COURT: What is a meg? 
Q Would you please — 

A It ' s a file size, megabyte. 

THE COURT: Okay. 
Q Thank you, Agent Shaver. 

Now, you found two instances, if you could, 
again, just remind us how sort of the timeframe for 
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those CENTCOM server logs . When did those — 
A 1 December . 

Q 1 December and? 

A I believe they ended in July 2010. 

Q So from 1 December to July 2010 you agree 

with me when you reviewed those logs there were only 
two instances of those files, those zip files being 
viewed? 

A Yes, sir. 

Q Okay. One of those was on 28 January 2010? 

A Yes, sir. 

Q And one of them was on 23 February, 2010? 

A Correct . 

Q And you have the ability through those logs 

to determine the IP address of the person requesting or 
the computer requesting, correct? 

A No, sir. 

Q No . Okay . 

So you weren ' t able to determine who or 
what computer actually viewed those? 

A Correct . 
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Q Now, I want to talk, again, about or 

continue talking about I guess we'll transition back to 
the 22 machine. 

A Okay . 

Q And I want to talk to you about the 

unallocated space there. Or maybe not dealing with 
unallocated space. We'll talk about the 22 machine 
generally . 

You would agree with me that there was a 
file path that you could see on the 22 machine that 
was, that showed the user of the 22 machine accessing 
the T— drive . There were instances where you could 
see — 

A Yes, sir. 

Q — that user accessing the T-drive . And 

you found an instance where there was a file path T 
colon forward slash BDE, brigade, forward slash special 
staff, forward slash (INAUDIBLE) , forward slash TACP, 
forward slash training, complete by 20 December 2009? 

A Correct . 

Q And you and — okay. 
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So that was on, that file path you found 
the 22 machine accessing that on 17 April, correct? 
A That sounds right, sir. 

Q Okay. And inside that folder you would 

agree with me there was a file called TGTl dot WMV? 
A Correct . 

Q Could you explain for the court what WMV 

file is generally? 

A Generally a movie file. 

Q Could you tell if that particular file GTTl 

was a movie file? 

A Just based off the name. 

Q And the extension? 

A It appear to be based off of the extension. 

Q Were you actually able to view that file? 

A No, sir. 

Q But based on the extension, you would 

associate that with some sort of video? 
A Correct . 

Q Okay. Now, you would agree with me that 

the forensic of the 22 machine show that TGTl dot WMV 
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file in two locations on the 22 machine? 
A Correct . 

Q One of those locations was in the documents 

and settings on C drive, documents and settings, 
Bradley dot Manning, my documents and then forward 
slash Farah, forward slash Farah? 

A Correct . 

Q And that was the same file, TGTl.wmv? 

A Appears to be, yes. 

Q Then the other location where you found 

that file was in, again the C drive documents and 
settings again Bradley dot Manning my documents forward 
slash yadda, forward slash Farah? 

A Correct . 

Q Again, that was TGTl.wmv? 

A Yes, sir. 

Q A file normally associated with a video? 

A Correct . 

Q You agree with me that the 22 machine, it 

would appear took this file off of the T— drive, the 
shared drive of the user would have had access to and 
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moved it to two folders on that user ' s computer that 
were called Farah? 

A Appears so . 

Q I want to go back to the actual file path. 

You would agree with me that on the T— drive, that long 
file path that we have here brigade special staff et 
cetera, the last portion of that is forward slash 
Farah? 

A Correct . 

Q So the 22 machine, we could even say the 

user Bradley dot Manning, accessed the shared drive, 
accessed the shared drive with, called Farah, at least 
in part, there was a movie file in there, would you 
agree with that? 

A Yes . 

Q Bradley dot Manning users account, then 

took that file and placed it on the machine, the 22 
machine in two locations? 

A Yes, sir. 

Q And both of those locations had Farah in 

the title? 
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A Correct . 

Q Now, you also found reference to this 

particular file, TGTl in the dot 22 registry, correct? 
A Correct . 

Q Could you explain for the court what it 

means when you find something in the registry? 

THE COURT: What was it found in the 

registry? 

THE DEFENSE: TGTl do the WMV. 
A Which registry style, the user? 

Q Yes. 

A Each user account has a file called NT user 

dot dat . If you open the documents, there's a lot of 
information within the user dot dat . It maintains 
information such as the last 10 Word documents you 
opened. One of the files there was the TGTl appeared 
to be accessed as well . 

Q So the appearance of the TGTl.wmv file in 

the registry would suggest that it was played? 

A Reviewed . 

Q Were you able to tell what application was 
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used to view that? 

A I believe it was — 

Q Was it Windows Media Player? 

A Yes, sir. Sorry. 

Q Could you explain for the court what one 

generally uses Windows Media Player for? 

A Playing videos or audio. 

Q Okay . So we have the user Bradley dot 

Manning playing the TGTl.wmv file in an application 
that's typically used to view videos? 

A Right . 

Q That was on 17 April 2010? 

A Yes, I don't recall the date. I'm sorry. 

That sounds reasonable . 

THE DEFENSE: Your Honor, I'm going to 
retrieve what ' s been marked as Defense Exhibit Gulf I 
believe for identification. 
BY MR. HURLEY: 

Q Agent, would you please head over to the 

panel box. This actually is Defense Exhibit Gulf for 
ID. 
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I'm handing the Exhibit, to the witness. 
Agent Shaver, do you recognize that 

document ? 

(Witness reading.) 
A Yes, sir; I do. 

Q What is it? 

A Sir, this is a Excel spreadsheet I created 

from the Intelink logs — how far can I go? 

I'm waiting for you to tell me where to go 

on this . 

Q You can say more . 

A Based off the key words Farah and CENTCOM. 

Q How do you know that that ' s what that 

document is? 

A I created it, sir. 

Q How did you go about creating it? 

A Sir, I filtered, again it was an Excel 

spreadsheet . So I filtered on the key words Farah and 
CENTCOM . 

Q So these are the Intelink logs . We dealt 

with these a little bit yesterday and now we have got, 
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again, the Intelink logs are like Google searches, 
correct? 

A Correct . 

Q So what you've done here is you've taken 

the Intelink logs and these are the full logs, right? 
A Yes, sir. 

Q Not just the queries but the full logs? 

A Yes, sir. 

Q And you've taken those and you've filtered 

them to grab any actions that deal with Farah and 
CENTCOM? 

A Okay . 

Q Now, looking at that, would you agree with 

me that at no point did the 22 or the dot 40 user view 
any videos on the CENTCOM server that dealt with Farah . 
Take a moment to look through that . 

A Repeat your question . 

Q I will . Would you agree with me that 

there's no evidence that the dot 22 or dot 4 machine or 
the user Bradley dot Manning, viewed anything, any 
videos that were associated with Farah? 
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A Correct . 

Q What was the date range in those Intelink 

logs? 

A One moment, sir. Appears to be 22 

March 2010. 

Q And the Intelink logs generally speaking 

would include what, what range of dates? 
A November 2009 to May 2010. 

THE DEFENSE : Retrieving that back and we 
would offer this as evidence? 

THE COURT : Can I ask you to repeat your 
answer. What's the 22 March 2010? What was the 
question and answer? 

THE DEFENSE: The question was just what 
dates are encompassed in this document. 

THE COURT : Thank you . 

THE PROSECUTION: No objection, Your Honor. 
THE COURT: Defense Exhibit Gulf is 

admitted. 

BY MR. HURLEY: 

Q Agent Shaver, one more time, the Intelink 
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logs, generally speaking the entire span was from 
November of 2009 to May of 2010, correct? 
A Correct . 

Q So when you looked at, the only activity 

that was captured that dealt with Farah and CENTCOM 
would have been on 22 March, correct? 

A Correct . 

Q Now, Agent Shaver, you talked on direct 

about various ways in which the Farah evidence made its 
way onto PFC Manning's, the SIPRNET machines associated 
with him, correct? 

A Correct . 

Q You talked about, we talked about the Intel 

Link logs . We have also seen data from the CENTCOM 
server, correct? 

A Correct . 

Q Did you look at any other logs in order to 

determine whether any data was transferred from CENTCOM 
to the 22 or the 40 machines? 

A Yes, I did. 

Q What did you look at? 
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A Other logs files called Centaur logs . 

Q What are Centaur logs? 

A Those are net flow logs . They capture 

information (INAUDIBLE) — 

THE PROSECUTION: Objection, Your Honor. 
Outside the scope of the direct. 

THE COURT: Sustained. 

THE DEFENSE: Your Honor, the defense 
believes the government has opened the door to the 
Centaur logs. The witness has testified about how the 
Farah, the video that's the subject of (INAUDIBLE) 
specifically. He's talked about how documents related 
to Farah have ended up on the witness's or on the, my 
client ' s machine . And we think that talking about the 
Centaur logs would give the court the complete picture 
of — 

THE COURT: Government, what is, you're 
planning on addressing the Centaur logs later? 

THE PROSECUTION: In conjunction with 
Department of State information, Your Honor. 

THE COURT: Is there anything in the 
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Centaur logs, I'll ask both sides, that's relevant to 
the Farah videos? 

MR. HURLEY: The defense believes so, Your 

Honor . 

THE COURT: I will overrule the objection 
to the extent you ' re talking about Farah . 

MR. HURLEY: Yes, ma'am. 
BY MR. HURLEY 

Q So could you explain again what are Centaur 

logs? 

A Net flow logs, sir. They're sense words 

throughout the DoD network and they measure, they 
capture the flow of traffic. We don't know what data 
is transferred between two computers . 

Q So if you're a user and you log onto the 

CENTCOM server, we're going to see the IP address 
associated with Agent Shaver has connected to the 
CENTCOM server and we'll see data going back and forth? 

A Correct . 

Q Now, what did you do with the CENTCOM, I'm 

sorry, the Centaur logs? 
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A Sir, I put them to Excel for easier review. 

THE DEFENSE: This time I'm going to 
retrieve Defense Exhibit Charlie for identification. 

Agent Shaver, could you please move to the 

panel box. 

Q I'm handing you what ' s been marked as 

Defense Exhibit Charlie for identification. What is 
t hat do cument ? 

A Sir, this is a spreadsheet I created. It 

shows the IP address of the remote computer, the 
computer name and the computer name contains the words 
CENTCOM and it shows the total number of connections 
and the total data transferred. 

Q How many IPs are listed there that you have 

associated with CENTCOM? 

A Seven . 

Q And when you created this, when you 

reviewed the Centaur logs, well, I'll hold off on that. 
Couple more questions about Centaur logs generally. 

Do those cover net data flow over all of 

DoD? 
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A Yes and no . 

Q Okay . 

A Sensors are placed throughout the network 

so, say, for example, this room is a network. You and 
I could communicate all day long there won't be any 
sensor communication . As soon as you left the room and 
the sensor, that's when it would log it. There may not 
have been any sensors within the actual FOB Hammer or 
Iraq. There may be sensors when you leave country. 

Q Okay . 

A So you ' re not going to get a complete 

picture and also Centaur logs, sensor, they go down, so 
Centaur logs are not a complete picture . There are 
fortunately large breaks of data where there ' s no 
information . 

Q Sure. And, in fact, in the Centaur logs 

that you reviewed there were large gaps in data, 
correct? 

A Yes, sir. 

Q What was the timeframe of the Centaur logs 

that you reviewed in this case? 
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A I want to say October 2009 to May 2010. 

Q And the Centaur Logs you reviewed included 

activity between the 22 and 40 machine and other 
servers throughout DoD, correct? 

A Correct . 

Q Directing your attention back to Defense 

Exhibit Charlie for identification. You mentioned that 
there ' s a column there that talks about how much data 
was actually transferred, correct? 

A Correct . 

Q If you could just, you said there were 

(INAUDIBLE) certification? 
A Correct . 

Q How much data was transferred? 

A Ish? 

Q Ish. Thank you. 

A Maybe 2 megs . 

MR. HURLEY: I'm going to retrieve this 
exhibit for identification from the witness and offer 
it as Defense Exhibit Charlie . 

THE PROSECUTION: We'd object, Your Honor, 



Provided by Freedom of the Press Foundation 



1 

2 
3 
4 
5 
6 
7 
8 
9 
10 
11 
12 
13 
14 
15 
16 
17 
18 
19 
20 
21 



UNOFFICIAL DRAFT - 6/11/13 Afternoon Session 



110 



based on lack of foundation. 

THE COURT: You're the ones that objected. 
If you go more in depth to the Centaur logs. 

THE PROSECUTION: We object on that basis 
that it's outside the scope of direct. 

THE COURT: I understand that but I told 
him I'm limiting him to going with — let me put it 
this way . Does the government believe there may be 
additional foundation with respect to the Centaur logs 
without going beyond what I said with Farah? 

THE PROSECUTION: Your Honor, we'll 
withdraw the objection. 

THE COURT : Thank you . 

Exhibit Charlie for identification is 

admitted. 

MR. HURLEY: I'm now retrieving what's been 
marked as Defense Exhibit Delta for identification. 

I'm handing the witness Defense Exhibit 
Delta for identification. 
BY MR. HURLEY: 

Q Agent Shaver, what is that? 
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A Sir, this is an Excel spreadsheet. I 

created . 

Q What SD memory does that Excel spreadsheet 

show? 

A It shows the source and destination IPs, 

the netflow data on the data that was captured, traffic 
that was captured . 

Q What IPs did you capture in the source IP 

column? 

A Those would be the CENTCOM servers . 

Q Would those be the same IPs from Defense 

Exhibit Charlie? 

A Can I see them to verify? 

Q Sure . 

A Thanks . 

Q I'm handing the witness Defense Exhibit 

Charlie . 

A Thank you, sir. 

(Witness reading.) 
A Yes, sir. 

Q You said you created Defense Exhibit Delta 
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for identification. How did you create that document? 

A Sir, since there was an Excel spreadsheet I 

simply filtered on the IPs that result back to the 
CENTCOM main. 

Q So the source IP column includes the IPs 

from CENTCOM, correct? 

A Correct . 

Q And the destination IPs are what? 

A Either dot 40 or dot 22. 

Q So you would agree with me that Defense 

Exhibit Delta for identification includes the netflow 
data between CENTCOM servers and the 22 and 4 machines 
that was captured by the Centaur logs? 

A Correct . 

Q And again you mentioned there are gaps in 

the Centaur logs? 
A Yes . 

Q Is there any gaps reflected in Defense 

Exhibit Delta for identification? 
A (INAUDIBLE) . 

Q Again, those gaps are because sensors go 
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down? 

A Yes, sir. 

Q Or there could be gaps because there ' s no 

activity? 

A Correct . 

Q We do know that you would agree with me 

it ' s not because of anything that the user would have 
done? 

A Correct . 

Q It wouldn ' t have been PFC Manning who 

tampered with Centaur logs and forced them to not 
gather data? 

A Correct . 

Q That ' s just something that happens . Now, I 

want to talk about, I guess at this time, Your Honor, 
we would offer Defense Exhibit Delta for identification 
as Defense Exhibit Delta? 

THE PROSECUTION: Delta or Charlie? 

THE COURT: They've admitted Charlie. This 

is Delta. 

THE PROSECUTION: No objection. 
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THE COURT: May I see it? 

MR. HURLEY: Retrieving Defense Exhibit 
Delta from the witness . 

THE COURT: Exhibit Delta is admitted. 
BY MR. HURLEY: 

Q Agent Shaver, yesterday you spoke about a 

number of Intelink log searches. Do you recall that? 
A Yes . 

Q We talked about searches that were related 

to Farah? 

A Correct . 

Q One such search was on 30 November by the 

dot 40 machine — I will retrieve Prosecution Exhibit 
81, please. 

MR. HURLEY: Your Honor, the Prosecution 
Exhibit that I'd like the witness to reference is in 
(INAUDIBLE) right now. 

THE COURT: Is this a good time to take a 
brief recess? Can someone go get it? 

THE PROSECUTION: Someone has gone to get 

it. 
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THE COURT: Is it still a good time, how 
long is it going to take them to get it do you think? 

THE PROSECUTION: Probably two or three 

minutes . 

THE COURT: Okay. 

THE PROSECUTION: Or less. 

THE COURT: We can wait. Court is recess 
in place. The witness will remain in the witness box. 
Feel free to move around. 

(Brief recess . ) 

THE COURT: Please proceed. All parties 
present at the last recess were present . 

MR. HURLEY: I'm going to retrieve 
Prosecution Exhibit 81 and hand that to the witness . 

Before we get going on that, I'll retrieve 
Defense Exhibit Charlie from you. 
BY MR. HURLEY: 

Q Okay. We're on prosecution Exhibit 81. 

You ' re able to see all the Intelink searches that 
you've associated with my client, correct? 
A Two computers; yes, sir. 
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Q And the first such search that implicates 

Farah would have been on 30 November. 

THE COURT: That would be 2009. 
MR. HURLEY: Yes, ma'am. 
A Yes, sir. 

Q And that was the dot 40 machine? 

A Yes, sir. 

Q Okay . I'd like you to now look at the 

Centaur logs on 30 November. 

Would you agree with me that there was no 
data transferred between CENTCOM and the 22 or 4 
machine on 30 November? 

A I have no logs from that date . 

Q There are no logs from that date . So you 

would agree there ' s no evidence that any data was 
transferred from the CENTCOM server and the 22 or the 
4 machine? 

A There ' s — there may have been data . I 

can't tell. 

Q Right . Okay . So the Centaur logs don ' t 

show any activity? 
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A Correct . 

Q On 30 November? 

A Correct . 

Q Now, the next search we have is 9 December 

by the dot 40 machine; is that correct? 
A One moment . Correct . 

Q And that was the dot 40 machine looking at 

the Centaur logs . You would agree with me that there 
is no evidence that data was transferred on that day 
either? 

A I have no entries from December 9, correct. 

Q Our next search is on 15 November 2009. 

Again, that's the dot 40 machine? 
A 15 December. 

Q Yes, sir. 

A Yes, sir. 

Q And looking at the Centaur logs? 

A I have no information. 

Q Okay. So there's no evidence of a transfer 

on 15 November? 

A Right . 
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Q Okay. Let's look at the next date, the 

16th of December 2009, again, the dot 4 minute? 

A Correct . I have no log of that . 

Q So no data transferred on the 16th of 

December? 

A Correct . 

Q All right. Now, we have what would be 

December 31st, again, the dot 40 machine. 

THE COURT: What was the date? 
MR. HURLEY: I'm sorry, the 31st of 
December, ma'am. 

A I do not have a 31 December. 

Q You have a search for CENTCOM? 

A I do. 

Q Did you do 30 December or 31? 

A 31 December I do have a search, Intel Link, 

on Centaur I have no data transferred. 

Q No data transferred on Centaur, okay. Now, 

we have 2 January, 2010. And we have a search on the 
dot 40 machine, correct? 

A Yes, sir. 
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Q And the Centaur logs do show a transfer on 

that day? 

A That is correct . 

Q And that transfer was 637 kilobytes, 

correct? 

A I don't have a calculator, sir. 

Q Is it 637,547 bytes? 

A Well, no. I would — 2 January, there are 

numerous entries . Each had bytes . You would have to 
total that up . 

THE COURT : Meaning where entries were 
searched or for Centaur? 

A Centaur has numerous entries and each one 

shows how many bytes were transferred for each entry. 
I'm sorry, there's quite a few numbers here. 

Q What ' s the first one? 

A First byte 38315. Do you want me to go 

through all of this? 
Q Yes . 

A 29185, 168442, 146880, 5888, 2028. 35138. 

21597. 19932, 34797, 7562, 2158, 36338, 21597, 5293, 
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23875, 32333, 3816, and 2373. 

Q Okay . Would you agree with me that that 

comes out to about 600 megs or 600 kilobytes? 
A Sure . 

THE COURT : Do you know or you don ' t know? 
THE WITNESS: No, I don't know, ma'am. I 
need a calculator. I apologize. 

THE COURT: No reason to apologize. 
BY MR. HURLEY: 



Q Agent Shaver, would you agree with me that 

if you were to add up all of that, all those bits and 
bytes, that would not be a enough to transfer a video? 

A Correct . I would agree with you on that . 

Q Our next Intelink search is on 4 January? 

A Yes, sir. 

Q And that's the dot 40 machine again? 

A Yes, sir. 

Q And there ' s no evidence in the Centaur logs 

of data transferred on that day; is that correct? 
A That ' s correct . 

Q Our next search is on 19 February? 
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A Yes, sir, I see it. 

Q Do you say data transferred on that day? 

A I do as well . 

Q Are there multiple instances of data 

transfer? 

A Yes, sir, there are. 

Q How many? 

A I have two . 

Q Would you agree that those two add up to 

about 252 kilobytes? 

A (No answer . ) 

Q Let me ask you this, Agent Shaver: Would 

you agree on 19 February there wasn't enough data 
transferred to transfer one of the zip files containing 
the video from CENTCOM? 

A Yes, sir. 

Q Okay. Now, let's look at 28 February. 

A Yes, sir. 

Q Do we see a search on 28 February? 

A I do. 

Q Again the dot 4 machine? 
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A Yes, sir. 

Q And was there data, there was data 

transferred on that date, correct? 
A Yes, sir; it was. 

Q How many instances of data transferred? 

A Thirteen . 

Q Okay . And would you agree with me that 

there's not enough data transferred on that day to have 
transferred any of the zip files contained in the 
video? 

A Yes, sir. 

Q Let's look at 12 March. 

There's a search on 12 March by the dot 22 

machine? 

A Yes, sir. 

Q And we do see data transferred on that day, 

correct? 

A Yes, sir. 

Q How many instances of transfer are there? 

A I count 29. 

Q And if you add all those up, you would 
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agree with me that that ' s not enough to have 
transferred one of the zip folders containing the video 
from CENTCOM? 

A Yes, sir. 

Q Our next search is on 17 March on the 22 

machine . 

A Yes, sir. 

Q And there ' s no evidence of any data 

transferred on that day, correct? 

A One moment. Correct, sir. 

Q Now, our last Intelink search is on 22 

March, correct? 

A One moment . Correct . 

Q And that was the only search that actually 

specifically references Farah, isn't it? Of all the 
Intelink searches that you've looked at so far, that's 
the only one that implicates Farah? 

A Correct . 

Q And there was data transferred on that 

date? 

A March, yes, sir. 
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Q There are quite a few instances of data 

transferred on that date? 
A Yes, sir. 

Q You would agree with me if you added all 

those up, it wouldn't be enough to transfer one of the 
videos from the CENTCOM server, correct? 

A Yes, sir. 

Q And you would also agree with me that the 

CENTCOM server logs that you reviewed when we talked 
about earlier, those showed activity on 22 March as 
well, right? 

A Correct . 

Q And that was activity where we saw jpegs 

and PDFs and PowerPoint s we looked at, correct? 

A I'm sorry, sir, I believe that was April — 

Q I'm sorry, that's correct. Okay. 

Agent Shaver, I'm going to take those 
exhibits back from you. I'm handing Prosecution 
Exhibit 81 back. 

Agent Shaver, you can move back to the 
witness stand. 
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(Witness complies . ) 

Q Agent Shaver, you would agree with me that 

there were no instances, there's no evidence of any, of 
data being transferred from the CENTCOM servers to the 
22 or the 40 machines in a volume large enough to have 
transferred one of the videos that the CENTCOM server 
posted? 

A Right . 

Q And you would agree with me that the only 

instance of a video that is any way associated with 
Farah that was found on the 22 or the 4 machine was 
actually, actually came from the T-drive? 

A Okay. Yes, sir. 

Q And that was on 17 April? 

A I don ' t remember the date . 

Q But it was in April? 

A Yes, sir. 

Q No further questions. Thank you. 

THE COURT: Redirect. 

THE PROSECUTION: Ten minute recess, Your 

Honor? 
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THE COURT: All right. Agent Shaver, same 
rules apply during recess . Court is in recess until 22 
minutes after 17 00 or five o'clock. 
(Brief recess . ) 

THE COURT: Be seated. All parties are 
present when the court last recessed are in the court. 
The witness is in the witness box. 

REDIRECT EXAMINATION BY MR. MORROW: 
Q Agent Shaver, was the Wget program embedded 

as part of the NCD server? 
A No, sir. 

Q And how does one download documents or 

cables from the NCD server (INAUDIBLE) ? 

A You go to the website and select the files 

you want and download them. 

Q Now, what does Wget allow you to do when 

downloading documents from any server, NCD or 
otherwise? 

A Automates it, more robust, if there's a bad 

connection it will retry. 

Q What are some other technical benefits of 
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Wget when downloading documents? 

A Faster . You can run it in the background . 

You can rename files . 

Q How much faster is Wget? 

A Conservatively, sir. It all depends though 

on the network segment you're on. If you're on a good 
segment it ' s fast but it would be faster if you had a 
good segment. If you're on a poor connection it would 
automate it. It would be faster than the (INAUDIBLE) 
one . 

Q I'd like to talk about the videos again on 

the CENTCOM SharePoint . What was the naming convention 
of the CENTCOM Farah videos, or the videos associated 
with Farah that were on the Sharepoint Server? 

A BE22 . 

Q Was that true of all the videos on there? 

A Yes, sir. 

Q What was the naming convention? 

THE COURT: What is a naming convention? 
MR. MORROW: Just the file name. 
THE COURT: Okay. 
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BY MR. MORROW: 

Q What was the file name? What was the file 

name of the dot WMV file or the video file on the 
T— drive that you said was associated with Farah? 

A It was a TGTl dot WMV. 

Q Now, can you tell whether the videos on the 

CENTCOM Sharepoint Server with the file names of BE22, 
et cetera are the same videos or the same video that 
appeared to be associated with Farah on the T— drive? 

A No, sir, I didn't have, couldn't recover 

the file, TGTl, to compare. 

Q Again, when you searched the unallocated 

space on the dot 40 and dot 22 computers, were you able 
to find any videos? 

A No, sir. 

Q No remnants of any videos? 

A I didn't find complete videos. Video files 

are complex. If you find a part of it, it probably 
won't play. So you need to find basically the entire 
video to make it work right . 

Q I want to ask you about the NT user file. 
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What is that again please? 

A Sir, that's NT user dot net is a registry 

file. It maintains settings. For each individual user 
has one. So, again, the easiest way to do, to explain 
it again, if you have office documents and you go file 
open it and shows the last 10, that's where that's 
maintained . 

Q So the NT user file would show you sort of 

the last 10, if it was the WMV or video file version, 
it would show the last 10 videos that were opened? 

A Associated with that extension. 

Q Okay. Now, if a, let's say a zip file had 

a WMV embedded and it was encrypted or password 
protected, would the NT user file capture a video that 
wasn ' t actually opened? 

A Not in that scenario. 

Q Why is that? 

A Because it would be a zip file and it would 

be also password protected. 

Q So the password protected would prevent it 

from being logged in the NT user? 
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A Correct . 

Q Now, so let me circle back then. What does 

it tell you if the TGTl was in the NT user file? 

A It was not password protected and it was 

viewed . 

Q So it was viewed or opened? 

A Right . 

Q Especially we talked about this awhile ago, 

but you reviewed the Lamo chat logs as part of this 
investigation, correct? 

A Yes, sir. I did. 

Q And I'd like to retrieve Prosecution 

Exhibit 30 . 

Agent Shaver, Prosecution Exhibit 30 are 
the Lamo user chat logs . Can you just review them very 
briefly . 

(Witness reading.) 
A Yes, sir. 

Q And you recall reviewing these chat logs 

prior to the case, correct? 
A Yes, sir. 
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MR. MORROW: I'm retrieving the Exhibit 
from the witness . 

Your Honor, permission to publish? 

THE COURT: Go ahead. 
BY MR. MORROW: 

Q Agent Shaver, I'm publishing page 12 of the 

chat logs . 

Are you able to read that? 
A Yes . Can you make it a little bigger? 

Q Yep. 

A Little easier to read. 

Okay . 

Q Now, I'd like you to start with the entry, 

starting with 2:14:46 p.m. Can you read down from 
there? 

A Sure. Yes, sir. Based upon the 

description he gave me I assessed it was the northern 
European (INAUDIBLE) security team trying to figure out 
how he got the (INAUDIBLE) cable. They also caught 
wind that he had a video of the Gharani airstrike in 
Afghanistan which he has but he hasn't decrypted yet. 
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The detection team was working on the Baghdad strike 
(INAUDIBLE) which was never really encrypted. 

Next line he got the whole 156 for the 
incident, so it won't be just a video with no context. 

Next line, but it's not nearly as damning. 
It is an awful incident, but nothing like the Baghdad 
one . 

Q Let me stop you there . Based on the 

description of the Gharani video and these chat logs 
and what you observed in the NT user file with the WMV 
so TGTl.wmv, what does that tell you? 

A This chat makes it sound like they had the 

password protected one, they have a password protected 
version of the videos and they're, they have not 
decrypted it . 

Q Thank you. I'm going to show you page 4 6 

as well . 

Here I'd like you to read from 4:33:21 p.m. 
A Anything else interesting on this table as 

a former collector of interesting.com info. 

Next line IDK, I don't know. I only know 
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what I provided him. 

Next line, what do you consider the 

highlights . 

Next line, the Gharani airstrike videos and 
for report Iraq war event log, the Gitmo papers and the 
State Department cable database . 

Q Thank you, Agent Shaver. 

THE COURT: Do we have another recross? 

THE PROSECUTION: I have some more. I'm 

sorry . 

I'm handing Prosecution Exhibit 30 back to 
our court reporter . 
BY THE PROSECUTION: 

Q Agent Shaver, let's talk briefly about 

Centaur logs . What do they capture? 

A Netflow information, destination port, 

source board amount of data transferred, date and 
times . 

Q When you reviewed the Centaur logs 

reflected in this case, did you observe any large data 
gaps in those logs? 
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A Yes, sir. 

Q Approximately what was the time period of 

those gaps? 

A End of December was one of the gaps . There 

were several other ones. I don't recall specific dates 
off the top of my head. 

Q Do you recall a gap between November 19th 

and 1 December? 

A Yes, sir. 

Q And based on your review of that gap, do 

you think that there was no activity at that time or 
did you think that there was something wrong with the 
Centaur sensors? 

A Sure, there was something wrong with the 

sensors . 

Q Why do you say that? 

A Sir, computers on a domain, they have to 

communicate with the domain server . But more than that 
they want to update . One of the things they update is 
antivirus and time. The time protocol is used to keep 
all the computers in sync with each other because time 
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and antivirus was not going on during those timeframes, 
either the computer was off or there was a problem with 
the sensor . 

Q So did you not observe any updating of time 

or antivirus at that time? 

A Correct . 

MR. MORROW: I'd like to retrieve Defense 
Exhibit Delta . 
BY MR. MORROW: 

Q Agent Shaver, I'd ask you to move over to 

the panel box again . 

Agent Shaver, I'm handing you Defense 
Exhibit Delta . Please explain again what is Defense 
Exhibit Delta? 

A It ' s netf low logs . But it ' s to and from 

servers, CENTCOM servers. 

Q All the CENTCOM servers that you were able 

to find? 

A Correct . 

Q And to where? 

A To and from dot 40 and dot 22. 
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Q Now, please show me in the Centaur logs the 

activity on 10 April. 

A There are no logs for April . 

Q There's no activity in the Centaur logs 

relating to 10 April 2010? 

A Correct . 

Q What does that tell you based on what you 

saw in the index dot dat file in PFC Manning's dot 22 
computer? 

A These logs were not captured that day. 

Q Is it fair to assume that Centaur logs are 

not a perfect logging system? 
A That ' s correct . 

Q Because there are some gaps in the logs? 

A Yes, sir. 

Q Now, Agent Shaver, you can move back to the 

witness stand, please. 

A (Witness complies.) 

Q Let ' s talk again about you were shown some 

Intel Link logs again . 

What does Intel Link capture when you 
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search for something? 

A It will capture the key word searched and 

things that you click on. Search results that you 
view . 

Q What happens if you click on a result that 

comes back in the Intel Link logs or as a result of 
search in intelligence analyst? 

A If it's on the intelligence analyst it 

should show you to either download a document or visit 
a web page . 

Q So it will sort of direct you to somewhere 

else? 

A It could. 

Q It could. 

Well, let's say, what happens if Intel Link 
redirects you to another server? 

A It's no longer a part of Intelink. It 

passes that information off to the other server so 
there would be no entries within Intelink because it ' s 
no longer part of the Intelink, well, world. 

Q And so is it fair to say that Intelink 
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doesn't capture activities on other servers? 
A That ' s correct . 

Q Now, if you viewed a video on another 

server, would Intelink capture that capacity? 
A Maybe . 

Q Maybe . 

Explain . 

A Depends where the server, where that file 

is . 

Q If you downloaded a video from another 

server, would Intel Link capture that activity? 

A Depends where the server or where it is . 

Q If you clicked on a result and were 

redirected would Intel Link capture that activity? 
A Probably not . 

THE PROSECUTION: No further questions. 

THE COURT: Recross? 

MR. HURLEY: Yes, ma'am. 

RE-CROSS EXAMINATION BY MR. HURLEY: 

Q Agent Shaver? 
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A Hello, sir. 

Q You just talked with Captain Morrow about 

the Lamo chats . You would agree with me that PFC 
Manning never said that he gave the Farah video or the 
Gharani airstrike video? 

A Correct . 

Q And he never said that he gave them an 

encrypted version of the video? 

A Well, there was something he mentions, 

obviously something with encryption and password. 

Q He mentioned that WikiLeaks had an 

encrypted version, correct? 

A Yes . 

Q But he didn ' t actually claim to have given 

them an encrypted version? 
A Correct . 

Q You would agree with me that it ' s possible 

that PFC Manning found an unencrypted version and then 
provided that to WikiLeaks? 

A Anything is possible. 

Q Now, you talked about some of the gaps in 
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the Centaur logs . Were there gaps in the CENTCOM 
server logs? 

A Not to my knowledge . 

Q And you testified before that the BEPAX 

videos had been accessed twice, according to the 
CENTCOM server logs? 

A Correct . 

Q One of those was on 28 January? 

A Yes, sir. 

Q And one of them was on 23 February? 

A Correct . 

Q Both of those in 2010? 

A Correct . 

Q Nothing in 2009? 

A Correct . 

Q You would agree with me that there ' s no 

evidence of PFC Manning or the 22 machine or the dot 4 
machine accessing a file called BE22PAX.zip, correct? 

A Correct . 

Q Do you have any knowledge of whether or not 

WikiLeaks ever told PFC Manning that they had an 
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encrypted version? 

A I would have no knowledge of that . 

Q Did you review any chats between PFC 

Manning and a person associated with WikiLeaks? 

A As part of (INAUDIBLE), yes. 

Q Did you know about a 2008 regarding 

WikiLeaks that (INAUDIBLE)? 

A I knew about it later . 

Q So you ' re aware on 8 January WikiLeaks 

apparently — 

THE COURT : 8 January of what year? 

Q 2010, ma'am, 2008 that they had an 

encrypted version? 

A I don ' t remember the date but I remember 

there being a 2008. 

Q And that was before any chats between PFC 

Manning and Adrian Lamo? 

A Yes . 

Q Those chats were in May? 

A Correct . 

Q And again in those chats he never said 
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that, he never said I sent them an encrypted version? 
A Right . 

Q He just said he ' s aware that WikiLeaks has 

an encrypted version? 
A Yes, sir. 

MR. HURLEY: Nothing further, Your Honor. 
THE COURT: Do you have redirect? 
MR . MORROW : Final . Three or four 
questions, Your Honor. 

THE COURT: Okay. 

REDIRECT EXAMINATION BY MR. MR. MORROW: 
Q Agent Shaver, page 4 6 of the logs we just 

saw, did PFC Manning admit to providing the Gharani 

airstrike videos to WikiLeaks? 

A I got to review it again, sir, I'm sorry. 

Q Yes. Prosecution Exhibit number 30, 

please . 

If you could just refer to page 46. Again 
if you would just read out loud from anything 
interesting as a collector or. 

(Witness reading.) 
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Q Sir, let me help you on it. We'll do it 

this way . 

Just start with the entry at 4:33:44 p.m.? 
A IDK, which commonly stand for I don ' t know . 

I only know what I provided him. 

Next line for Mr. Lamo, what do you 
consider the highlights? The Gharani airstrike videos 
and full report Iraqi war event log, the Gitmo papers 
and the State Department cable database . 

Q That's good. Thank you, Agent Shaver. 

Agent Shaver, I want to talk about the 
CENTCOM Sharepoint Server logs again . 
A Yes, sir. 

Q Did you observe or did you have logs 

collected in this case before 1 December 2009? 
A No, sir. 

Q Why is that? 

A Because they didn ' t exist . The logs rotate 

and we collected them in July 2010 and that's as far 
back as they went . 

Q So 1 December 2009 was as far back as 
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CENTCOM had? 

A Correct . 

Q And when is Thanksgiving generally in the 

year, what month? 

A November . 

Q Usually around what date of November? 

A 27th. 

Q Thank you. 

MR. MORROW: No further questions. 

THE COURT : All right . I have a few . 

EXAMINATION BY THE COURT: 
Q The first one, can you clear up some 

confusion for me. I hear Farah video, Gharani video. 
Are those the same things, are they different? 
A The same thing. 

Q Okay . Let me see if I understand what I 

thought your testimony was . 

The Gharani video was only accessed, 
according to the records, twice from or the Gharani 
video from the Centaur logs. There's no evidence it 
was ever transferred from CENTCOM to the dot 22 or the 
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dot 40? 

A Correct . 

Q Or at least as file name BE22PAX . wmv? 

A The zip file (INAUDIBLE), yes, ma'am. 

Q And there was a video with that file name 

on either the dot 22 or the dot 4 computer? 
A No , ma ' am . 

Q What was on the dot 22 or dot 40 computer? 

A There was another video that was identified 

through the restore points that was called TGTl . Tango 
Gulf Tango 1 . 

Q Okay . 

A However, I have a file name, I don't have, 

actually the video . 

Q Do you know if it is a Farah video? 

A The folder it was in was called Farah but 

the actual contents of the video I do not know. 

Q And why is that? 

A It was deleted, overwritten, and I cannot 

recover it . 

Q I believe you testified you said that that 
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file came from the T— drive? 

A Yes . It was on the T— drive as well by file 

name and then it, it was in Manning, Bradley dot 
Manning user profile. 

Q So it was in both the T— drive which is the 

shared server drive? 

A Correct . 

Q And in PFC Manning's user profile? 

A Correct . 

Q On the T— drive could you view it? 

A No, ma'am. We did not collect that. That 

portion was not collected. 

Q So do you know what the video with that 

same file name, what was the file, the TGT video on the 
T— drive was? 

A No , ma ' am . 

Q If you don't know the answer to this just 

tell me . Did you all have Centaur logs that captured 
data from the CENTCOM share file to the T-drive? 

A No , ma ' am . 

Q Do you know when the TGT file, how long it 
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was on the T— drive when it got there? 

A No, ma'am. I could tell you the first 

incident it was on the Bradley dot Manning file was 
March was the first entry concerning that. 2010. 

THE COURT : I think that ' s all I have . 
Any follow— up based on that? 
MR. MORROW: One moment, Your Honor. 
REDIRECT EXAMINATION BY MR. MORROW: 
Q Agent Shaver, just to clarify, what does 

Centaur actually capture? 

A Transfers between two computers . 

Q Does Centaur capture actual files? 

A No, sir, but it does capture the amount of 

data transferred. 

RE-RECROSS EXAMINATION BY MR. HURLEY: 
Q Agent Shaver, the Centaur logs that you 

reviewed were only Centaur logs that involved the 22 
and 40 machine; is that correct? 
A That ' s correct . 

Q I believe the judge asked you if there was 

any Centaur logs data showing transfer from the Centaur 
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to the T Drive but you didn ' t review any of that 
Centaur logs log data? 
A Correct . 

Q So you didn ' t review all the Centaur logs 

data from CENTCOM, only stuff that was on 22 or 40 
machine? 

A Correct . 

Q It ' s possible there was transfer from the 

CENTCOM to the T-drive; you would have no idea? 
A Correct . 

MR. HURLEY: Thank you. 

THE COURT : All right . Temporary or 
permanent excusal? 

MR. MORROW: Temporary, Your Honor. 

THE COURT: Once again, Agent Shaver, the 
same rules apply. You're temporarily dismissed. 

THE WITNESS: Thank you, ma'am. 

THE COURT: All right. I assume you don't 
want to call anymore witnesses today? 

THE PROSECUTION: Ma'am, sticking to the 
proposed trial schedule for the first time, yes, we do 
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not want to call anyone else . 

United States recommends recess until 
tomorrow morning at 9:30. We'll call the next witness, 
Special Agent Johnson. 

THE COURT: Any objection? 

MR. HURLEY: No, Your Honor. 

THE COURT: Any issues before we recess for 

the court? 

MR. HURLEY: No, Your Honor. 
THE PROSECUTION: No, ma'am. 
THE COURT: Court is recessed until 
9:30 a.m. tomorrow. 

(Court adjourned.) 
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